Home/ Questions/Q 7022619
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-27T23:36:21+00:00

My script: $secret = check_input($_GET[‘secret’]); if(isset($_POST[‘register’])) { if (isset($secret) || !empty($secret)) { if (file_exists(ROOT

  • 0

My script:

$secret = check_input($_GET['secret']);
if(isset($_POST['register'])) {
    if (isset($secret) || !empty($secret)) {
        if (file_exists(ROOT . '/intl/codes/' . $secret)) {
            unlink(ROOT . '/intl/codes/' . $secret);
            $trusted = 'yes';
        } else {
            $trusted = 'no';
        }
    }
//$_POST['register'] register details...
}
  1. Is there another way to do it (simplier, etc.)?
  2. If $secret doesn’t exist in the /codes/ folder, it produces Warning: unlink Is a directory How to get rid of that?
  3. Why $trusted always gives yes even if the file doesn’t exist ?
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    To delete a directory, you should be using rmdir() instead of unlink().

    $secret = check_input($_GET['secret']);
if(isset($_POST['register'])) {
    if (!empty($secret)) {
        if(file_exists(ROOT . '/intl/codes/' . $secret)) {
            rmdir(ROOT . '/intl/codes/' . $secret);
            $trusted = 'yes';
        } else {
            $trusted = 'no';
        }
    }
    //$_POST['register'] register details...
}

    Although, there is a serious security risk here! If your check_input() does not properly sanitize $secret, you could rmdir('/intl/codes/../') which is the same as deleting /intl/.
    Try something like this:

    $allowed = ROOT. '/intl/codes/';
$path = realpath($allowed . check_input($_GET['secret']));

if(strpos($path, $allowed) === 0) {  //Check that $path is within allowed directory
    if(is_dir($path)) {
        rmdir($path);
    } else if(file_exists($path)) {
        unlink($path);
    } else {
        echo "File/folder not found";
    }
} else {
    echo "Untrusted user tried to delete outside of allowed directory";
}
    • 0