How to prevent index.php main file from being deleted?

Asked

Viewed 90 times

-4

php admin.:

$file = $_GET['apagar'];
if (!unlink($file))
{
echo ("arquivo nao encontrado");
}
else
{
echo ("arquivo deletado");
}

 <script>function del(){return confirm("Excluir?");}</script>
 <a href='?apagar=data1.html' onclick='return del();'>Apagar</a>
 <a href='?apagar=data2.html' onclick='return del();'>Apagar</a>
 <a href='?apagar=data3.html' onclick='return del();'>Apagar</a>

So far so good!

The problem is here, accessing the direct url deletes the index.php file which I do not want.

http://127.0.0.1/admin.php?apagar=index.php
php

  • The best way is to have a list of files in the comic book and only let delete if it exists. Or else have the files that are to delete in a different directory from the files .php.

  • @Jorgeb. Even if you leave it in a different folder, you can delete http://127.0.0.1/admin.php? delete=.. /config.php deletes even more important files. :-|

  • you need to take access to those folders first and only give access to the folder where the files will be.

  • you can make a list in the database as Jorge B. suggested or an array with the pages you do not want to be deleted and before the execution of unlink($file) you check if what came in $_GET["apagar"] present in the list with a in_array(), if you are you interrupt the execution

  • Alias the ideal is to have a directory only for files that can be edited and deleted and also a record of those same BD files, and only delete if they are in the BD and of course in that directory. Other directories must be protected.

1 answer

1


Your concern at this point is that a malicious user can delete *.php files from your site, but this leaves it open for an attacker to try to delete ANY FILE from their host, if folder permissions are misconfigured your server will be exposed and you may have a lot of headache.

A better solution is to keep a separate directory specifically for this type of file and your script has to check if the requested file for deletion is in this directory, for example:

<?php

$userFiles = '/caminho/pasta/especifica';
$fileRequested = basename($_GET['apagar']);
$file = $userFiles . DIRECTORY_SEPARATOR . $fileRequested;
if (is_file($file) && unlink($file)) {
    echo 'arquivo deletado';
} else {
    echo 'arquivo não encontrado ou não autorizado';
}

// ...

Browser other questions tagged php

You are not signed in. Login or sign up in order to post.