I created a simple filemanagement for a couple of users. The structure: every user has a map in the dir uploads
like below:
uploads/john/-->files inside
uploads/bill/-->files inside
For deleting files i use this form"
<form class="sfmform" method="post" action="">
<input type="hidden" name="deletefile" value="<?php echo $dir.'/'.$file">
<input type="submit" class="sfmdelete" name="delete" value="Delete">
</form>
The var $dir.'/'.$file
shows me the exact location of the file, per example: uploads/john/cat.jpg
Lets assume: I am john and i know that the name of another is, bill . And i guess bill has also a file in his foilder called dog.jpg
I open te browser inspector for deleting a file in my own folder, and i change the value of the hidden input form uploads/john/cat.jpg
to uploads/bill/dog.jpg
and click on delete, i really deleted the dog image out of bill his folder.
How can i protect this kind of manipulating via browser inspector?
This is what i did to protect manipulation via browser inspector: The names of the folders like john
and bill
are generated by this variable: UserID
All the folders are inside the uploads
directory. So it looks like: uploads/john/...
and uploads/bill/...
The value of the hidden text field is created with: $dir.'/'.$file
and always looks like uploads/john/file.jpg
Now i compare the $UserID
with the value ot the hidden filed after the first /
like this:
$pieces = explode("/", $_POST['deletefile']);
$hiddenvalue = $pieces[1];
if( $UserID != $hiddenvalue ) { // if these values not the same
echo "Forbidden!";
exit;
}
I tested it and it seems to work fine...
Ok! Its not the most professional solution, but i wanted to make this script without database
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.