How to let user delete files from database and file directory path?

Question

I've come as far as this in my code:

<?php
include 'template/overall/header.php';?>
<div class="large-12 medium-12 columns">
<table width="60%" border="1" align="center">
<tr>
<th colspan="4"><label style="text-align: center"><b>Dina filer</b></label> <label style="text-align: center"><a href="ladda_fil.php"> Ladda upp en ny fil</a></label></th>
</tr>
<tr>
<td>Fil Namn</td>
<td>Fil Typ</td>
<td>Fil Storlek(KB)</td>
<td>Öppna</td>
<td>Radera</td>
</tr>
<?php
$sql="SELECT * FROM file LEFT JOIN users on userName";
$result_set=mysql_query($sql);
if($result_set === FALSE) { 
die(mysql_error()); // TODO: better error handling
}
while($row=mysql_fetch_array($result_set))
{
    ?>
    <form action="" method="POST">
        <tr>
        <td><?php echo $row['file'] ?></td>
        <td><?php echo $row['type'] ?></td>
        <td><?php echo $row['size'] ?></td>
        <td><a href="filer/mina_filer/<?php echo $row['file'] ?>" target="_blank">Öppna fil</a></td>
        <td style="text-align: center; padding-top: 10px"><input name="delete" type="checkbox"></td>
        </tr>
    <?php
}
?>
</table>
<input type="submit" class="button" value="Radera filer" style="float: right; margin-right: 20%; padding: 0.7%; color: black; font-style: italic; font-size: 80%">
</form>
</div>  
<?php
if (isset($_POST['delete'])) {
    $sql = "DELETE * FROM file WHERE";
    mysql_query($sql);
}
include 'template/overall/footer.php'; 
?>

Where do I go from here? This is a start to deleting from database but it's not working. I'm new to php and trying to figure this out. Any help is appreciated!

There is a lot to learn, a good answer would take to long. Start by looking at [The manual - Dealing with forms](http://php.net/manual/en/tutorial.forms.php) — RiggsFolly, Feb 09 '16 at 23:18
Be sure to read about [**SQL injection**](https://www.owasp.org/index.php/SQL_Injection), among other problems. If you want to let users delete records, not to mention files, you need to do a *lot* of input checking and validation. — elixenide, Feb 10 '16 at 05:26
Also, please [don't use `mysql_*`](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php?rq=1); the `mysql_*` functions are outdated, [deprecated](http://us3.php.net/manual/en/intro.mysql.php), and insecure. Use [`MySQLi`](http://us3.php.net/manual/en/book.mysqli.php) or [`PDO`](http://us3.php.net/manual/en/intro.pdo.php) instead. — elixenide, Feb 10 '16 at 12:23

Renjith V R · Answer 1 · 2016-02-10T05:48:29.833

0

using unlink() function you can delete files from folder.

sample code

    $res=mysql_query("SELECT file FROM tbl_uploads WHERE id=".$_GET['remove_id']);
    $row=mysql_fetch_array($res);
    mysql_query("DELETE FROM tbl_uploads WHERE id=".$_GET['remove_id']);
    unlink("folder/path/".$row['file']);

First write select query to fetch file from database.
This code can be work with if(isset($_GET[]) condition.
After fetching file put the fetched file into the unlink() function like above.

UPDATE ::

For deleting directory , you can use rmdir().

And this is helpful

realpath — Returns canonicalized absolute pathname.

is_writable — Tells whether the filename is writable.

For SQL injection , we can use mysql_real_escape_string.

mysql_real_escape_string — Escapes special characters in a string for use in an SQL statement.But this extension was deprecated in PHP 5.5.0, and it was removed in PHP 7.0.0. Instead, the MySQLi or PDO_MySQL extension should be used.

edited Feb 10 '16 at 05:48

answered Feb 10 '16 at 05:22

Renjith V R

2,981
2
22
32

This code is wide open to [**SQL injection**](https://www.owasp.org/index.php/SQL_Injection). – elixenide Feb 10 '16 at 05:28
this is a just sample code for deleting a file using unlink(). – Renjith V R Feb 10 '16 at 05:31
It's *bad* code for that purpose. OP doesn't know to write the SQL ("This is a start to deleting from database..."), but you have provided insecure SQL that will get OP's site hacked badly. Your "solution" opens up a new security hole and recommends use of a deprecated library. – elixenide Feb 10 '16 at 12:23

score 0 · Answer 2 · edited May 23 '17 at 11:52

Like @RiggsFolly said, there is still alot to learn. This answer will cover some concepts of what you are looking for. For starters there are some security holes here. First stop using mysql_* and instead use mysqli_* also you should use prepared statement to avoid SQL injection. And, also check if the file belongs to the user else a user can enter any file_idin its POST or GET request and can delete a file that is not his.

Let's take a look on how to do this.

list_file.php is where you list your files:

//list files
while($row=mysql_fetch_array($result_set))
{
    ?>
        <tr>
        <td><?php echo $row['file'] ?></td>
        <td><?php echo $row['type'] ?></td>
        <td><?php echo $row['size'] ?></td>
        <td><a href="filer/mina_filer/<?php echo $row['file'] ?>" target="_blank">Öppna fil</a></td>
        <td style="text-align: center; padding-top: 10px"><a href="delete.php?file_delete=" . $row['file_id']>Delete</a></td>
        </tr>
    <?php
}
?>

delete_file.php will look something like this:

   <?php

$file_id=$_GET['file_id'];
$user_id=$_SESSION['user_id'];                //user ID stored in session at time of login
$conn = new mysqli($servername, $username, $password, $dbname);
if (isset($_GET['file_delete'])) {
    $sql = "DELETE * FROM file WHERE ? && ? LIMIT 1"; // question indicate placeholders for later use, Also make sure to limit it to 1
    $stmt = $conn->prepare($sql);             // prepare query
    $stmt->bind_param("ii", $file_id, $user_id); // Bind values to the placeholders
    if($stmt->execute()){                     // execute the query OR delete the entry if it exists
      $sql="SELECT * FROM file WHERE file_id = '". $file_id ."' LIMIT 1";     // select file name using file_id
      $result=mysqli_query($sql);
      if($row=mysqli_fetch_array($result,MYSQLI_ASSOC)){
        unlink("folder/path/" . $row['file']);// Delete the file from server
        }
      }else{echo "Something went wrong!";}
}

?>

You can take look at prepared statements here

Also, this <a href="filer/mina_filer/<?php echo $row['file'] ?>" target="_blank"> is a bad idea. You can link it to a download.php script, send it get or post parameters and use the script to get the file instead of exposing the file directory. Take a look at this and see how a download script looks like

Hi. this is a site for only my closes friends that I trust so I don't worry to much about sql injections but of course I should learn that. The user can only view the files they have uploaded them self on this page so how could they delete anyone else's? How du I bild the values to this line: `$stmt->bind_param("ii", $result_set['file_id'], $user_id);` — BriefHeart, Feb 10 '16 at 11:54
the `i` tells mysql it is an integer, `s` for string, `b` for blob and `d` for double. Rest of the parameters are the placeholder question marks you've placed. All parameters must be listed in order. A malicious person can just type a `file_id` that doesn't belong to him and run the script making the script delete someone else's file. — Ikhlak S., Feb 10 '16 at 13:14

How to let user delete files from database and file directory path?

2 Answers2