如何保护从其他文件夹删除文件

Question

I created a simple filemanagement for a couple of users. The structure: every user has a map in the dir uploads like below:

uploads/john/-->files inside

uploads/bill/-->files inside

For deleting files i use this form"

<form class="sfmform" method="post" action="">
        <input type="hidden" name="deletefile" value="<?php echo $dir.'/'.$file">
        <input type="submit" class="sfmdelete" name="delete" value="Delete">
</form>

The var $dir.'/'.$file shows me the exact location of the file, per example: uploads/john/cat.jpg

Lets assume: I am john and i know that the name of another is, bill . And i guess bill has also a file in his foilder called dog.jpg

I open te browser inspector for deleting a file in my own folder, and i change the value of the hidden input form uploads/john/cat.jpg to uploads/bill/dog.jpg and click on delete, i really deleted the dog image out of bill his folder.

How can i protect this kind of manipulating via browser inspector?

Answer 1

This is what i did to protect manipulation via browser inspector: The names of the folders like john and bill are generated by this variable: UserID

All the folders are inside the uploads directory. So it looks like: uploads/john/... and uploads/bill/...

The value of the hidden text field is created with: $dir.'/'.$file and always looks like uploads/john/file.jpg

Now i compare the $UserID with the value ot the hidden filed after the first / like this:

$pieces = explode("/", $_POST['deletefile']);
        $hiddenvalue = $pieces[1];          
        if( $UserID != $hiddenvalue ) {     // if these values not the same     
            echo "Forbidden!";          
            exit;
        }

I tested it and it seems to work fine...

Ok! Its not the most professional solution, but i wanted to make this script without database