Toad78 wrote:
> I'd like to know if this is the correct method to use
unlink to delete
> the file associated with the record:
> $image_path = '../../../info/docs/employment/';
> if ((isset($_POST['empl_dnld_fn'])) &&
> file_exists($image_path.$_POST['empl_dnld_fn'])) {
> unlink($image_path.$_POST['empl_dnld_fn']);
> }
Just looking it over, it appears that it will delete the
specified file, but haven't actually tried it to be sure. One thing
that I think is important to point out is that you better be doing
some really serious validation of the value stored in:
$_POST['empl_dnld_fn']
Reason being is that if some nefarious character wants to,
they could easily set the post value to something that you may not
want to be deleting. For example if the set the value to:
../../Connections/wvgsadmin.php
(assuming that's your connection file name and the correct
dot dot slash) then they adjust the dot dot slashes to get to where
they want to, they may be able to delete some files that your site
needs to keep running properly as well as protect certain parts of
your site.
One way to do it may be to try to sanitize the value by
seeing if the resulting generated file path (the posted value
combined with your image path variable). Here's an example of how
to determine if the path is within the folder you expect it to be:
http://stackoverflow.com/questions/456546/how-do-i-make-sure-a-file-path-is-within-a-given-subdirect...
While the question covers GET, you can substitute POST and it
would be applicable to your situation.
David Powers seems to be the PHP guru around these parts so
if he is around, perhaps he knows of a better way to handle this
situation.
--
Danilo Celic
|
http://blog.extensioneering.com/
| WebAssist Extensioneer
| Adobe Community Expert
1
Reply
AdChoices