How to avoid UNLINK security risks in PHP?

Question

I\'m using UNLINK with PHP and AJAX. I know that in this way is very dangerous, because everyone can delete any files. But I need to use AJAX

Answer 1

In your PHP:

• Make sure $_GET['photo_id'] and $_GET['thumbnail_id'] don't contain "../"
• Also make sure you prepend a basepath to the ID.

Otherwise users can delete any file.

As for the ownership, you have to store the information who owns which file somewhere on the server side (for example a MySql-DB). Then you should consult this location before deleting the file.