Your removefile.php has some issues. First, you need to use $_GET, not $_POST. GET data is in the URL in the query string (everything after "?"). Next, change the index from '$filename' to 'file'. That's the name of the value you want.
Code: Select all
<?php
if(isset($_GET['file'])){
unlink($_GET['file']);
}
?>
You also have a major security issue here. What if someone called this?
http://example.com/removefile.php?file=removefile.php
Or even worse, this?
http://example.com/removefile.php?file=.
You have to make sure that only files in the directory you specify can be deleted. Here's how to do that:
Code: Select all
<?php
if(isset($_GET['file'])){
$filename = 'files' . ltrim($_GET['file'], '/\\');
// make sure only deleting a file in files/ directory
if (dirname(realpath($filename)) == realpath('files')) {
unlink($filename);
}
}
?>
To accommodate these changes, you need to change the first page a bit.
Code: Select all
<a href="removefile.php?file=<?php echo $filename;?>" title="Delete file '<?php echo $filename;?>' from the server">Delete</a>
I removed the files/ part from the URL. This means that removefile.php will decide where to delete the file from, not the URL.
That will make sure that no-one can delete a file outside of the specified directory.
realpath() calculates the absolute path of a file/directory name.
dirname() get the parent directory of that, and
basename() just gets the folder name. Basically, we're just making sure the parent of the file is the one we're expecting.
Other measures need to be taken to make sure that you can't just delete files without permission. Will this be on a live site?