0

I have a form which deletes a record from mySQL database. This database contains the image/file name.

How do I add into the statement to also delete the file in the website directory with the same image/file name.

if ((isset($_POST['file_name'])) && ($_POST['file_name'] != "")) {
  $deleteSQL = sprintf("DELETE FROM image_carousel WHERE image_name=%s",
                       GetSQLValueString($_POST['file_name'], "text"));

  mysql_select_db($database_attibfn, $attibfn);
  $Result1 = mysql_query($deleteSQL, $attibfn) or die(mysql_error());
}
cedric rademan
  • 43
  • 6
  • use `unlink(FILE_PATH)` – Parixit Apr 24 '15 at 13:28
  • Please, [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). They are no longer maintained and are [officially deprecated](https://wiki.php.net/rfc/mysql_deprecation). Learn about [prepared statements](http://en.wikipedia.org/wiki/Prepared_statement) instead, and use [PDO](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard Apr 24 '15 at 13:32
  • The answers below are correct but first you need to check the file_name var to remove any folder information like ../../ then add the path where the image should be, check if the image exists and finally use unlink to remove it – Dobromir Velev Apr 24 '15 at 13:32
  • I have an entire site setup with mysql_* functions. Any idea on a way of simply converting this?? – cedric rademan Apr 24 '15 at 13:37
  • you might start by introducing some DB independent wrapper functions and then replace it within the code. – Dobromir Velev Apr 24 '15 at 13:40

4 Answers4

2

Use http://php.net/manual/en/function.unlink.php unlink($filename);.

You will probably want to get the filename from the database, and validate it's existance. DO NOT blindly trust the user input.

Use http://php.net/manual/en/function.file-exists.php file_exists($filename) to check if it exists.

So, you end logic should be something like:

  • if a filename is submitted, and it's not empty
  • then check the filename is in the database
  • then check the file exists
  • then delete the file
  • then delete the row from the database for the file

Something like:

if (isset($_POST['file_name']) && !empty($_POST['file_name'])) {
  mysql_select_db($database_attibfn, $attibfn);

  $select = ""; // select filename query
  $filename = mysql_query($select) or die(mysql_error());

  if (!$filename || !file_exists($filename)) {
    // Handle it! Throw an exception or something
  }

  unlink($filename);

  $deleteSQL = sprintf(
    "DELETE FROM image_carousel WHERE image_name=%s",
    GetSQLValueString($_POST['file_name'], "text")
  );

  $Result1 = mysql_query($deleteSQL, $attibfn) or die(mysql_error());
}

Also, consider using PDO, or at the least - MySQLi.

http://php.net/manual/en/book.pdo.php

http://php.net/manual/en/book.mysqli.php

mysql_* functions are deprecated and being removed. They are insecure.

Seer
  • 5,226
  • 5
  • 33
  • 55
  • 1
    I would probably avoid using another query - mysql_affected_rows() after the delete query is a good enough indicator if there was such record – Dobromir Velev Apr 24 '15 at 13:37
  • @Seer I have an entire site setup with mysql_* functions. Any idea on a way of simply converting this?? – – cedric rademan Apr 24 '15 at 13:41
  • @dobromir-velev I dont quite get your answer! Im still new to PHP – cedric rademan Apr 24 '15 at 13:43
  • @cedricrademan As suggested in a comment on your question, you could make a wrapper class that encapsulates the behaviour of the database (i.e. handles running queries, taking the parameters for queries, that sort of thing), and then use that instead. Gradually replace the mysql_* calls with your wrapper, then you can change your wrapper to use a different underlying technology, like PDO, or MySQLi – Seer Apr 24 '15 at 13:46
  • @cedricrademan you can create replacement functions like myquery($sql,$db) that just calls mysql_query($sql,$db), then replace all references to mysql_query with myquery and the you can easily change myquery to use PDO or mysqli to do the same thing. You should do this to all MySQL functions you use like mysql_fetch_row, mysql_connect etc – Dobromir Velev Apr 24 '15 at 13:46
0

Try this

if ((isset($_POST['file_name'])) && ($_POST['file_name'] != "")) {
  $deleteSQL = sprintf("DELETE FROM image_carousel WHERE image_name=%s",
                       GetSQLValueString($_POST['file_name'], "text"));
//delete file
unlink(<absolute path>/<filename>);
  mysql_select_db($database_attibfn, $attibfn);
  $Result1 = mysql_query($deleteSQL, $attibfn) or die(mysql_error());
}
Hardeep Pandya
  • 897
  • 1
  • 8
  • 27
0
if ((isset($_POST['file_name'])) && ($_POST['file_name'] != "")) {
  $deleteSQL = sprintf("DELETE FROM image_carousel WHERE image_name=%s",
                       GetSQLValueString($_POST['file_name'], "text"));

 unlink('/path/to/your/image/folder/'.$_POST['file_name']);    

  mysql_select_db($database_attibfn, $attibfn);
  $Result1 = mysql_query($deleteSQL, $attibfn) or die(mysql_error());
}
Parixit
  • 3,829
  • 3
  • 37
  • 61
-1

Try to use unlink function:

unlink('/path/of/your/image/');

In your code:

if ((isset($_POST['file_name'])) && ($_POST['file_name'] != "")) {
$deleteSQL = sprintf("DELETE FROM image_carousel WHERE image_name=%s",
                   GetSQLValueString($_POST['file_name'], "text"));

mysql_select_db($database_attibfn, $attibfn);
$Result1 = mysql_query($deleteSQL, $attibfn) or die(mysql_error());

unlink('/path/'.$_POST['file_name']); // remove the image
}
Guilherme Ferreira
  • 153
  • 1
  • 11
  • Where and how should I place it in my statement – cedric rademan Apr 24 '15 at 13:29
  • DO NOT trust user input blindly like this. It is a HUGE security vulnerability. If you followed this answer, you could realistically delete any file on the system this script is running on that the user running the script has permissions to delete. – Seer Apr 24 '15 at 13:39
  • I know, but he doesn`t care by now about it, he wants knows WHERE put that thing xD – Guilherme Ferreira Apr 24 '15 at 13:40