[英]how to protect deleting files from other folder
I created a simple filemanagement for a couple of users. 我为几个用户创建了一个简单的文件管理。 The structure: every user has a map in the dir
uploads
like below: 结构:每个用户在目录
uploads
都有一张地图,如下所示:
uploads/john/-->files inside
uploads/bill/-->files inside
For deleting files i use this form" 对于删除文件,我使用此表格”
<form class="sfmform" method="post" action="">
<input type="hidden" name="deletefile" value="<?php echo $dir.'/'.$file">
<input type="submit" class="sfmdelete" name="delete" value="Delete">
</form>
The var $dir.'/'.$file
shows me the exact location of the file, per example: uploads/john/cat.jpg
var
$dir.'/'.$file
显示$dir.'/'.$file
的确切位置,例如: uploads/john/cat.jpg
Lets assume: I am john and i know that the name of another is, bill . 让我们假设:我是约翰 ,我知道另一个人的名字是比尔 。 And i guess bill has also a file in his foilder called
dog.jpg
而且我猜比尔在他的箔
dog.jpg
还有一个名为dog.jpg
的文件
I open te browser inspector for deleting a file in my own folder, and i change the value of the hidden input form uploads/john/cat.jpg
to uploads/bill/dog.jpg
and click on delete, i really deleted the dog image out of bill his folder. 我打开浏览器检查器以删除自己文件夹中的文件,然后将隐藏的输入表单
uploads/john/cat.jpg
的值更改为uploads/bill/dog.jpg
,然后单击删除,我确实删除了狗图像没帐单他的文件夹。
How can i protect this kind of manipulating via browser inspector? 如何通过浏览器检查器保护这种操作?
This is what i did to protect manipulation via browser inspector: The names of the folders like john
and bill
are generated by this variable: UserID
这是我通过浏览器检查器来保护操作的操作:
john
和bill
之类的文件夹的名称由此变量生成: UserID
All the folders are inside the uploads
directory. 所有文件夹都位于
uploads
目录中。 So it looks like: uploads/john/...
and uploads/bill/...
所以看起来像:
uploads/john/...
和uploads/bill/...
The value of the hidden text field is created with: $dir.'/'.$file
and always looks like uploads/john/file.jpg
隐藏文本字段的值是使用
$dir.'/'.$file
,始终看起来像uploads/john/file.jpg
Now i compare the $UserID
with the value ot the hidden filed after the first /
like this: 现在,我将
$UserID
与第一个/
之后的隐藏文件的值ot进行比较,如下所示:
$pieces = explode("/", $_POST['deletefile']);
$hiddenvalue = $pieces[1];
if( $UserID != $hiddenvalue ) { // if these values not the same
echo "Forbidden!";
exit;
}
I tested it and it seems to work fine... 我测试了它,似乎工作正常...
Ok! 好! Its not the most professional solution, but i wanted to make this script without database
它不是最专业的解决方案,但我想在没有数据库的情况下制作此脚本
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.