[nycphp-talk] Bullet proofing "rmdir" command
Jeff
jsiegel1 at optonline.net
Tue Aug 12 10:28:57 EDT 2003
Just to expand a bit, I use a constant for the full path:
define('DEST_PATH','/var/www/html/car_images/') and then create $sSubDir
by concatenating this path with the value in the table which is simply
the subdirectory name, such as "b67783a0ceadaa20bdc17a513d113a42"
Jeff
-----Original Message-----
From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org]
On Behalf Of David Sklar
Sent: Tuesday, August 12, 2003 8:57 AM
To: NYPHP Talk
Subject: RE: [nycphp-talk] Bullet proofing "rmdir" command
Where is $sSubDir set? If it's set by users, then before either call to
rmdir() you should canonicalize the pathname with realpath() and then
make
sure that the canonicalized pathname has the correct prefix.
For example:
// The directory under which image-storage subdirectories can be created
$sImagePrefix = '/www/some/place/images';
$sSubDir = realpath($sSubDir);
if ($sSubDir && ($sImagePrefix == dirname($sImageName)) {
for ($i = 0; $i < 5; $i++) {
$sImageName = $sSubDir . "image$i.jpg";
if (file_exists($sImageName)) { unlink($sImageName); }
}
unlink($sSubDir);
}
realpath() returns false if the canonicalized pathname doesn't exist.
David
On Tuesday, August 12, 2003 9:45 AM, wrote:
> Great! Thanks!
>
> -----Original Message-----
> From: talk-bounces at lists.nyphp.org
> [mailto:talk-bounces at lists.nyphp.org] On Behalf Of pswebcode, nyc
> Sent: Tuesday, August 12, 2003 8:41 AM To: 'NYPHP Talk'
> Subject: RE: [nycphp-talk] Bullet proofing "rmdir" command
>
>
> //Delete subdir
> if(file_exists($sSubDir) && $sSubDir!="." && $sSubDir != ".."){
> rmdir($sSubDir); }
>
> ...better.
>
> -----Original Message-----
> From: talk-bounces at lists.nyphp.org
> [mailto:talk-bounces at lists.nyphp.org] On Behalf Of Jeff
> Sent: Tuesday, August 12, 2003 9:27 AM
> To: 'NYPHP Talk'
> Subject: [nycphp-talk] Bullet proofing "rmdir" command
>
>
> I have a specific subdirectory on my site where users can upload
> images files associated with some text stored in a database. The
> question concerns deleting those uploaded images. Deleting the record
> is the easy part...even deleting the images and subdirectory is easy.
> However, my concern is what precautions should I take to make sure
> that the wrong subdir (or the whole site!!) doesn't get blown away.
> In the code below I'm using file_exists to delete the images and
> subdir but is there anything else that I should do to bullet proof
> the procedure?
>
> //Note: $sSubDir is the subdirectory path stored in the corresponding
> MySQL record.
>
> //Delete images
> for($i=0;$i<5;$i++){
> $sImageName = $sSubDir . "image$i.jpg";
> if(file_exists($sImageName)){
> unlink($sImageName);
> }
> }
> //Delete subdir
> if(file_exists($sSubDir)){
> rmdir($sSubDir);
> }
>
> Jeff
>
> _______________________________________________
> talk mailing list
> talk at lists.nyphp.org http://lists.nyphp.org/mailman/listinfo/talk
>
> _______________________________________________
> talk mailing list
> talk at lists.nyphp.org
> http://lists.nyphp.org/mailman/listinfo/talk
>
> _______________________________________________
> talk mailing list
> talk at lists.nyphp.org
> http://lists.nyphp.org/mailman/listinfo/talk
_______________________________________________
talk mailing list
talk at lists.nyphp.org
http://lists.nyphp.org/mailman/listinfo/talk
More information about the talk
mailing list