Problems deleting File PHP

Question

This is my code to pull information from my sql database and then I want to delete the .txt files in each directory, but I can't seem to figure out why it won't delete the files.

<?php

session_start();
$user = $_SESSION['SESS_USERNAME'];

$id = array();
$id = $_POST['selected'];

//Include database connection details
require_once('config_order.php');

//Connect to mysql server
$link = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD);
if (!$link) {
    die('Failed to connect to server: ' . mysql_error());
}

//Select database
$db = mysql_select_db(DB_DATABASE);
if (!$db) {
    die("Unable to select database");
}

//Create query
$query = mysql_query("SELECT * FROM  `PropertyInfo` WHERE  `order_number` =  '$id[0]'");

// display query results

while ($row = mysql_fetch_array($query)) {
    $c_name = $row['clientname'];
    $sitestreet = $row['sitestreet'];              
    $inspector = $row['inspector'];
}
mysql_close($link);

$client_name = str_replace(" ", "_", $c_name);
$site_street = str_replace(" ", "_", $sitestreet);

$client_name = "{$client_name}.txt";
$site_street = "{$site_street}.txt";

$client_path = "/var/www/vhosts/default/htdocs/Members/$user/$inspector/Orders/Clients";
$inspection_path = "/var/www/vhosts/default/htdocs/Members/$user/$inspector/Orders/Inspections";

if (unlink($client_path . "/" . $client_name)) {
    echo 'File Deleted';
} else {
    echo 'File could not be deleted';
}
?>

Answer 1

I think this is because your while loop is overwriting the $c_name, $sitestreet and $inspector variables. This means you will only ever delete the last file.

Is this what you were trying to do? (Edited Again...)

$query = mysql_query("SELECT * FROM `PropertyInfo` WHERE `order_number` IN (".mysql_real_escape_string(implode(',',$id)).")");

while ($row = mysql_fetch_array($query)) {

  $inspector = $row['inspector'];
  $client_name = str_replace(" ", "_", $row['clientname']).'.txt';
  $site_street = str_replace(" ", "_", $row['sitestreet']).'.txt';

  $client_path = "/var/www/vhosts/default/htdocs/Members/$user/$inspector/Orders/Clients";
  $inspection_path = "/var/www/vhosts/default/htdocs/Members/$user/$inspector/Orders/Inspections";

  if (!file_exists($client_path.'/'.$client_name)) {
    echo "File $client_path/$client_name does not exist!\n";
  } else echo (unlink($client_path.'/'.$client_name)) ? "File $client_path/$client_name was deleted\n" : "File $client_path/$client_name could not be deleted\n";

}
mysql_close($link);

Answer 2

Try some extra debugging:

$realpath = $client_path . '/' . $client_name;

if (file_exists($realpath)) {
   if (is_writable($realpath)) {
       if (unlink($realpath)) {
            echo "$realpath deleted";
       } else {
            echo "Unable to delete $realpath";
       }
   } else {
      echo "$realpath is not writable";
   }
} else {
   echo "$realpath does not exist";
}

Answer 3

On first glance, this is a problem, if $_POST['selected'] is not an array:

$id = array();
$id = $_POST['selected'];

...


$query = mysql_query("SELECT * FROM  `PropertyInfo` WHERE  `order_number` =  '$id[0]'");

You are instantiating $id as an empty array, then overwriting it with $_POST['selected'], so $id[0] is the first character of the string $id.

For example, if $_POST['selected'] is 12345:

"SELECT * FROM  `PropertyInfo` WHERE  `order_number` =  '$id[0]'"

is equivalent to:

"SELECT * FROM  `PropertyInfo` WHERE  `order_number` =  '1'"

Either don't try to access it with an index or do $id[] = $_POST['selected']; to add the element onto the $id array instead.

Whether that is an array or not, you do need to either sanitize that input before you insert it into the query or use prepared statements, though!