Click here to Skip to main content
15,174,684 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
Hi,
I want to delete my image file. I use routing system in my project. It consists of the controller and method (function) name and the data is passed. For example:
"http://localhost/MyProject/public/admin/index"

In the code above, admin is controller name and index is the method name. I use this system to carry file information to delete.php.
<a class="dropdown-item" href="<?php echo $root ?>/public/delete/index/<?php echo $myrow['thumb'] ?>">Delete</a>


delete.php:

<?php
class Delete{

    public function index($file){

        $this->DeleteFile($file);
    }
    public function DeleteFile($file){
        
        if(file_exists("/MyProject/public/assets/img/$file")){

            unlink("/MyProject/public/assets/img/$file");
            unlink("/MyProject/public/assets/uploadThumb/$file");
        }else{

            echo "File not exists.";
        }
    }
}


The problem is that the file cannot be deleted and says that the file not exists. My real file address is:
C:\xampp\htdocs\MyProject\public\assets\img\97c584dbaj.jpg

How can I solve this problem?

What I have tried:

<?php
class Delete{

    public function index($file){

        $this->DeleteFile($file);
    }
    public function DeleteFile($file){
        
        if(file_exists("/MyProject/public/assets/img/$file")){

            unlink("/MyProject/public/assets/img/$file");
            unlink("/MyProject/public/assets/uploadThumb/$file");
        }else{

            echo "File not exists.";
        }
    }
}
Posted
Updated 18-Oct-21 9:57am
v3
Comments
Richard Deeming 19-Oct-21 4:22am
   
Nice Path Traversal[^] vulnerability you've got there. I hope you're not fond of any of the files on your server!

You need to use the basename[^] function to strip out any path component from the file name before you try to access it.

1 solution

try using file_exists(realpath($fileName)); resp unlink(realpath($fileName));
   

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)




CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900