-1

Okay so I have an ajax request that leads to a file called inc/ajax/del_images.php which delete's the image a user selected to delete

Edit_post.php:


    <form class="form-control" action="" autocomplete="off" method="post" enctype="multipart/form-data">
    
    <img id="img" src="some url from database">
    <button id="delete-img" data-id="W12kwd2">Delete img</button>
    <img id="img" src="some url from database">
    <button id="delete-img" data-id="T93pm3P">Delete img</button>
    </form>

data-id is the id of the img in the database table Also images and buttons and gen from php which i didnt include as it adds no value to post

Ajax on edit_post:

$("#delete-img").on('click', function() {
    $.ajax({
    url: 'inc/ajax/del_images.php',
    type: "POST",
    data: {
    img_id: $(this).attr("data-id")
    },
    cache: false,
    success: function(result){
    console.log(result);
    }
    }); 
)};

Then in del_images.php:


    session_start(); 
    
    if(isset($_POST['img_id'])){
         //image id
         $iid = $_POST['img_id'];
    
        //let's check if this image id is valid/in the database
        require("conn_user.php");
        $stmt = $conn->prepare("SELECT * FROM `images` WHERE `ID` = ?");
        $stmt->bind_param("s", $iid);
        $stmt->execute();
        $stmt_results = $stmt->get_result(); // get result
        $row_get = $stmt_results->fetch_assoc();
    
        if($stmt_results->num_rows > 0){
         //img with the id was found
         //now check if the current user is the owner of post with post[ID] related to the image[ID] 
         
         $stmt = $conn->prepare("SELECT * FROM `posts` WHERE `ID` = ?");
         $stmt->bind_param("s", $row_get['post_id']);
         $stmt->execute();
         $stmt_results = $stmt->get_result(); // get result
         $row_get_post = $stmt_results->fetch_assoc(); 
    
         if($stmt_results->num_rows > 0){ 
          //post was found lets check $_SESSION with poster id(in DB)
    
          if($_SESSION['uid'] == $row_get_post['poster_id']){
           //this means the current user is the owner of post aswell as the image
           //now delete the image cuz the user is the owner which means its safe
    
           $stmt = $conn->prepare("DELETE FROM `images` WHERE ID = ?");
           $stmt->bind_param("s", $iid);
           $stmt->execute();
           $delete_results = $stmt->store_results(); // get result
           
           if($delete_results->affected_rows == 1){
            //image was deleted return info so page 
            print_r('image deleted!');
           }else{
             print_r('image could not be deleted!');
           }
    
          }else{
           //id didnt match prop a hacker so force kick and admin review
           //code removed for this post
          }
    
         }else{ //post not found this will never happen but if it does just add error output }
    
         }else{
         //img not found please tell the user 
         //this code was removed for simplicity of the post
         }
    
    }

MY DATABASES :

images table

| ID | post_ID | url |
| :--------:| :--------:|:--------:|
| W12kwd2 | 1 | mNDNJD3324kmWD382n3r.png |
| T93pm3P | 1 | In3u2n329dnjJDEJKDde.jpg |
| Wo90dmp | 2 | JNMduwio3232ndsakdew.jpeg|

posts table

| ID | post_title | poster_id |
| :--------: | :--------: |:--------: |
| 1| What a title | 1 |
| 2| Can you code?| 1|
| 3| Ajax, why and how | 4 |

MY ISSUE :

The issue

So another user can't delete another users image cuz i am check that they are the owner of the post of which the image is related too but lets say the user is busy editing post 1 the edit post url will look like this edit_post?post_id=1 which is fine but the user can in the buttons data-id insert the id of images related to post ID 2 and delete them cuz he is the owner of post ID 2 aswell(you can see it from db example) now first i think lets just get the id from the url but any idiot who knows how frontend works will be able to check the js to just insert the value they want for the url id= so how can i limit this so that a user can only delete the images of the post that they are currently editing without having to work with a frontend supply id

i tough maybe to use a $_SESSION['current_edit'] = "current id of post which they clicked edit on" but the issue leads what is they have multi tabs cuz they editing more that one post I know i need to work with some type of supplied id but how can i lock it down so that users can't delete images of other posts they own while editing another post.

FOOTER NOTE* if I need to supply more info and edit the post to be more clear of more specific please tell me and i will do it as i know StackOverflow is a clean and well maintained site ~ Have a great day :)

Christoph Rackwitz
  • 11,317
  • 4
  • 27
  • 36
LOGN_NEO
  • 1
  • 1
  • 1
    Just add `AND POST_ID = :postId` to your delete query? – Alex Howansky Jan 27 '22 at 17:58
  • but where will the postId come from? via the ajax or something? – LOGN_NEO Jan 27 '22 at 18:00
  • @AlexHowansky cuz the postId that is gotten from the query is purely based on the id of the image so if they submit post ID 2 image id then it will get 2 for post id and just just check that the user is the owner of post id 2 and the user is the owner which then wont stop the user from deleting image related to the other post he/she owns – LOGN_NEO Jan 27 '22 at 18:03
  • 1
    Why restrict the user from deleting images in that way? If they want to edit the HTML/JS and try to delete images that way you're going to have a hard time stopping them. As you mentioned, you really want to stop them from messing with other people's images. – waterloomatt Jan 27 '22 at 18:09
  • @waterloomatt well i checked some of my competitors which are OLX and Ebay etc.. and they all have some sort of system of checking that users cant delete other post images they own so my thinking was it should be possible i just cant find a way to do it. thats why I asked to see if some other devs have a way of doing it. but i guess ill just do a check if user deletes other post images that post will go into review for admins to review and approve or something – LOGN_NEO Jan 27 '22 at 18:43
  • As others have mentioned, you can pass the current post ID along with the image ID in the request, but even then the user can alter the post ID and image ID to something other than the post they're editing. You rightly suggested that you'd need to keep track of the post they're editing via some mechanism like sessions, but that seems like over-engineering at this early stage. – waterloomatt Jan 27 '22 at 18:49
  • @waterloomatt okay thanks, maybe i am overthinking it idk l will keep my current system and if we grow larger i will look into some session type system or something ~ Thanks for helping tho and have a great day. – LOGN_NEO Jan 27 '22 at 18:55
  • This may sound funny, but the other way to think about this is that this is a feature, not a bug. Imagine you wanted to expose your application with a web interface and also as an API where people could interact with your data via a REST API. If authenticated, people can submit requests (post ID and image ID) to manage (delete/add/update) their images. If you enforce the concept that users have to be "editing a post" in order to delete an image, you'd lose the ability to expose this as an API, or at the very least, it'd become a significant challenge to implement. – waterloomatt Jan 27 '22 at 18:59
  • @waterloomatt wow, yeah it actually sound like more of a feature as I am planning to build an API later on. ~ thanks mate this made me much more comfortable with the current system :D – LOGN_NEO Jan 27 '22 at 19:31

1 Answers1

0

delete image from folder PHP

This post may help you.

What you need to do.

  • query the id from database with ajax
  • then fetch the url column.
  • Delete the file by unlinking the url line you called to whatever your file system is.

That's all the process.

v-Cx
  • 11
  • 1
  • 5
  • this stil wont work cuz thats not my issue but thanks for trying – LOGN_NEO Jan 27 '22 at 18:01
  • Then I can give you a suggestion. If you know which user each photo belongs to, you should change the process as follows; - instead of sending just the img_id, you should always send the img_id as well as the user_id. If the img_id belongs to the user_id, complete the deletion. If it doesn't belong, don't do this. – v-Cx Jan 27 '22 at 18:18
  • @ibrahim, what happens if the user changes the userId in the HTML/JS to someone else? Can they then delete other people's images? – waterloomatt Jan 27 '22 at 19:23
  • No. If you assign the user_id to the session with PHP, you will be aware of everything in the back-end even if the user changes the img_id in the js file. So whatever the situation, you will be in control. https://stackoverflow.com/questions/41879519/adding-user-id-into-session-mysql Rajdeep Paul's solution will help you. – v-Cx Jan 28 '22 at 06:05