How to avoid UNLINK security risks in PHP?

后端 未结 7 1033
深忆病人
深忆病人 2021-01-12 18:59

I\'m using UNLINK with PHP and AJAX. I know that in this way is very dangerous, because everyone can delete any files. But I need to use AJAX

7条回答
  •  醉梦人生
    2021-01-12 19:45

    In your PHP:

    • Make sure $_GET['photo_id'] and $_GET['thumbnail_id'] don't contain "../"
    • Also make sure you prepend a basepath to the ID.

    Otherwise users can delete any file.

    As for the ownership, you have to store the information who owns which file somewhere on the server side (for example a MySql-DB). Then you should consult this location before deleting the file.

提交回复
热议问题