Delete files with AJAX/PHP
https://stackoverflow.com/questions/3409261
-
25-09-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
The problem
I want to delete a file with AJAX/PHP.
But the php says that the file name what I send with AJAX is not a file, but when I go directly to the link I can delete the files. Check out my current PHP, I've put in the IF/ELSE statement to check if the string is a file with: is_file, the result is false.
Without is_file says this:
Warning: unlink("image.jpg") [function.unlink]: Invalid argument in C:\wamp\www\images\users\delete.php on line 8
The file what calls the ajax is inside the folder where are the files too what I want to delete.
The PHP
<?php
// I save the file sources from the URL what was sent by AJAX to these variables.
$photo_id = $_GET['photo_id'];
$thumbnail_id = $_GET['thumbnail_id'];
function deletePhotos($id){
// If is a file then delete the file.
if(is_file($id)){
return unlink($id);
// Else show error.
} else {
echo $id . " is not a file, or there is a problem with it.<br />" ;
}
}
if(isset($photo_id)){
deletePhotos($photo_id);
}
if(isset($thumbnail_id)){
deletePhotos($thumbnail_id);
}
?>
The AJAX
function deletePhoto(photo, thumbnail){
var photos = encodeURIComponent(photo);
var thumbnails = encodeURIComponent(thumbnail);
if (window.XMLHttpRequest) {// code for IE7+, Firefox, Chrome, Opera, Safari
xmlhttp=new XMLHttpRequest();
} else {// code for IE6, IE5
xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");
}
xmlhttp.onreadystatechange=function() {
if (xmlhttp.readyState==4 && xmlhttp.status==200) {
document.getElementById("media").innerHTML=xmlhttp.responseText;
}
}
xmlhttp.open("GET", "http://192.168.2.104/images/users/delete.php?photo_id=\""+photos+"\"&thumbnail_id=\""+thumbnails+"\"", true);
xmlhttp.send();
}
Solution
Your ajax request has the data in quotes.
//Bad
delete.php?photo_id="1234"
//Good
delete.php?photo_id=1234
//So use this:
xmlhttp.open("GET", "http://192.168.2.104/images/users/delete.php?photo_id="+photos+"&thumbnail_id="+thumbnails, true);
OTHER TIPS
You need to give a full path to is_file. A partial path like image.jpg doesn't tell it where that file is located. If it's supposed to be relative to the document root, you'll need to prepend that.
This is one of the most dangerous scripts I've ever seen. You could pass any file into photo_id, and as long as the web server has the right permissions, it would delete it. You should at least make sure you're restricting it to only delete files within a certain directory.
you might need to specify the path for example
file_exists( realpath('.') . '/' . $id );
(assuming your files are in the same folder as your script) ditto what others have said, this is a dangerous script unless there is other security in place!
try to use trim in your post or get variable, ex:
$photo_id=trim($_GET['blah..blah']);
in my case the problem is $photo_id returns no file name - its returns something like this '\nfilename', when it should be 'filename' so I added trim and its worked for me now.
