0

I have a form which deletes a record from mySQL database. This database contains the image/file name.

How do I add into the statement to also delete the file in the website directory with the same image/file name.

if ((isset($_POST['file_name'])) && ($_POST['file_name'] != "")) {
  $deleteSQL = sprintf("DELETE FROM image_carousel WHERE image_name=%s",
                       GetSQLValueString($_POST['file_name'], "text"));

  mysql_select_db($database_attibfn, $attibfn);
  $Result1 = mysql_query($deleteSQL, $attibfn) or die(mysql_error());
}
Improve this question
5
  • use unlink(FILE_PATH) Commented Apr 24, 2015 at 13:28
  • Please, stop using mysql_* functions. They are no longer maintained and are officially deprecated. Learn about prepared statements instead, and use PDO. Commented Apr 24, 2015 at 13:32
  • The answers below are correct but first you need to check the file_name var to remove any folder information like ../../ then add the path where the image should be, check if the image exists and finally use unlink to remove it Commented Apr 24, 2015 at 13:32
  • I have an entire site setup with mysql_* functions. Any idea on a way of simply converting this?? Commented Apr 24, 2015 at 13:37
  • you might start by introducing some DB independent wrapper functions and then replace it within the code. Commented Apr 24, 2015 at 13:40

4 Answers 4

Reset to default
2

Use http://php.net/manual/en/function.unlink.php unlink($filename);.

You will probably want to get the filename from the database, and validate it's existance. DO NOT blindly trust the user input.

Use http://php.net/manual/en/function.file-exists.php file_exists($filename) to check if it exists.

So, you end logic should be something like:

  • if a filename is submitted, and it's not empty
  • then check the filename is in the database
  • then check the file exists
  • then delete the file
  • then delete the row from the database for the file

Something like:

if (isset($_POST['file_name']) && !empty($_POST['file_name'])) {
  mysql_select_db($database_attibfn, $attibfn);

  $select = ""; // select filename query
  $filename = mysql_query($select) or die(mysql_error());

  if (!$filename || !file_exists($filename)) {
    // Handle it! Throw an exception or something
  }

  unlink($filename);

  $deleteSQL = sprintf(
    "DELETE FROM image_carousel WHERE image_name=%s",
    GetSQLValueString($_POST['file_name'], "text")
  );

  $Result1 = mysql_query($deleteSQL, $attibfn) or die(mysql_error());
}

Also, consider using PDO, or at the least - MySQLi.

http://php.net/manual/en/book.pdo.php

http://php.net/manual/en/book.mysqli.php

mysql_* functions are deprecated and being removed. They are insecure.

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

I would probably avoid using another query - mysql_affected_rows() after the delete query is a good enough indicator if there was such record
@Seer I have an entire site setup with mysql_* functions. Any idea on a way of simply converting this?? –
@dobromir-velev I dont quite get your answer! Im still new to PHP
@cedricrademan As suggested in a comment on your question, you could make a wrapper class that encapsulates the behaviour of the database (i.e. handles running queries, taking the parameters for queries, that sort of thing), and then use that instead. Gradually replace the mysql_* calls with your wrapper, then you can change your wrapper to use a different underlying technology, like PDO, or MySQLi
@cedricrademan you can create replacement functions like myquery($sql,$db) that just calls mysql_query($sql,$db), then replace all references to mysql_query with myquery and the you can easily change myquery to use PDO or mysqli to do the same thing. You should do this to all MySQL functions you use like mysql_fetch_row, mysql_connect etc
0

Try this

if ((isset($_POST['file_name'])) && ($_POST['file_name'] != "")) {
  $deleteSQL = sprintf("DELETE FROM image_carousel WHERE image_name=%s",
                       GetSQLValueString($_POST['file_name'], "text"));
//delete file
unlink(<absolute path>/<filename>);
  mysql_select_db($database_attibfn, $attibfn);
  $Result1 = mysql_query($deleteSQL, $attibfn) or die(mysql_error());
}
Improve this answer

Comments

0 
if ((isset($_POST['file_name'])) && ($_POST['file_name'] != "")) {
  $deleteSQL = sprintf("DELETE FROM image_carousel WHERE image_name=%s",
                       GetSQLValueString($_POST['file_name'], "text"));

 unlink('/path/to/your/image/folder/'.$_POST['file_name']);    

  mysql_select_db($database_attibfn, $attibfn);
  $Result1 = mysql_query($deleteSQL, $attibfn) or die(mysql_error());
}
Improve this answer

1 Comment

you should really check if $_POST['file_name'] is not something like ../../some.important.file
-1

Try to use unlink function:

unlink('/path/of/your/image/');

In your code:

if ((isset($_POST['file_name'])) && ($_POST['file_name'] != "")) {
$deleteSQL = sprintf("DELETE FROM image_carousel WHERE image_name=%s",
                   GetSQLValueString($_POST['file_name'], "text"));

mysql_select_db($database_attibfn, $attibfn);
$Result1 = mysql_query($deleteSQL, $attibfn) or die(mysql_error());

unlink('/path/'.$_POST['file_name']); // remove the image
}
Improve this answer

3 Comments

Where and how should I place it in my statement
DO NOT trust user input blindly like this. It is a HUGE security vulnerability. If you followed this answer, you could realistically delete any file on the system this script is running on that the user running the script has permissions to delete.
I know, but he doesn`t care by now about it, he wants knows WHERE put that thing xD

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.