Deleting a server file

Question

I'm looking for a way to delete a file from the server using PHP. Basically I have my files listed on a page in this manner:

<ul>
    <li><a href="delete_file.php?file=uploads/file_01.jpg">Delete File 01</a></li>
    <li><a href="delete_file.php?file=uploads/file_02.jpg">Delete File 02</a></li>
    <li><a href="delete_file.php?file=uploads/file_03.jpg">Delete File 03</a></li>
</ul>

The problem is I'm not sure how to get my delete_file.php file to work. I believe it needs to be something like this:

<?php 
    $path="uploads/file_01.jpg";
    if(unlink($path)) echo "File Deleted"; 
?>

...but I'm not sure how to get the $path to change to the file I had clicked on to delete.

you want $_GET['file'], and this is insane as i could add a file to the url ande delete it. — , Feb 10 '11 at 00:41
What if someone pass `delete_file.php?file=delete_file.php`? — zerkms, Feb 10 '11 at 00:41

score 35 · Accepted Answer · answered Feb 10 '11 at 00:46

35

while you have to be incredibly careful with giving a user the ability to delete files, I'll give you enough rope to hang yourself

define a base directory that will contain any files that will be deleted

$base_directory = '/home/myuser/';

Then delete the file

if(unlink($base_directory.$_GET['file']))
    echo "File Deleted.";

answered Feb 10 '11 at 00:46

Patrick

3,142
4
31
46

Thanks for that. Worked a treat. You mean disallow directory browsing? – Feb 10 '11 at 00:59
what if somebody passes this URL: `/delete_file.php?file=../../etc/passwd` – drudge Feb 10 '11 at 01:05
@user606263 no, jnpcl means to not allow someone to post `file=../../etc/apache2/apach2.conf` that would, given the right permissions, delete the configuration file for the web server part of your server – Patrick Feb 10 '11 at 01:06
@Patrick - gotcha. Shouldn't be an issue as the script can't be executed unless you're logged in as an administrator (me). – Feb 10 '11 at 03:20

score 5 · Answer 2 · edited May 23 '17 at 11:47

5

<?php
  $file_to_delete = $_GET['file'];
  if (is_file($file_to_delete)){
    echo (unlink($file_to_delete) ? "File Deleted" : "Problem deleting file";

  }
?>

I'm not going to lie, don't know a better way to sanitize the $_GET['file'] other than check if it's a file. If this isn't a valid way, experts please chime in. (Maybe follow the guidelines present in this SO topic?)

edited May 23 '17 at 11:47

Community

1
1

answered Feb 10 '11 at 00:43

Brad Christie

100,477
16
156
200

the amount of sanitizing that you would have to do to protect yourself would be ridiculous with this functionality given to any end-user. So I'll leave that to the OP :-) – Patrick Feb 10 '11 at 00:47
4

Clean it with [`basename()`](http://php.net/basename) to keep the person from entering something like `../../someotherfile`. – Jonah Feb 10 '11 at 01:06
another small prbolem, you forgot `)` before the `;` on line where is `echo`, but everything other is fine – Jurijs Nesterovs Dec 06 '13 at 07:08

score 1 · Answer 3 · answered Jan 31 '19 at 07:40

Sometimes you may want to create the path dynamically.

For example, I am using a CMS in different places therefore I should not use fixed definitions.

My project structure:

-myProject
|-admin
|--app
|---controllers
|-upload

$base_directory = dirname(__FILE__);
echo $base_directory; //'/home/myProject/public_html/admin/app/controlers/'

This is taking the path to the running php file.

My php file in 'admin/app/controllers/'

But upload file in 'upload/'

We need to delete unnecessary directories for the correct path. The file in the upload folder so we dont need to 'admin/app/controllers/' is unnecessary. So we are removing this part.

$path = str_replace('admin/app/controllers/', '', $path);
echo $path;  //'/home/myProject/public_html/upload/myFile'

Now we have correct path and we can delete the file.

if (file_exists($path)){
    if(unlink($path)){
       echo "File deleted";
    }
}else{
     echo "File is not exists";
}

Deleting a server file

3 Answers3

Linked