Ok,
I have my file upload script working and my users are merrily uploading files to their own personal directory. Now I want them to be able to delete unwanted uploads, but I'm worried about security.

I could easily allow deletes with perl:
`mv $filename ~/trash'

But that is probably a really bad idea. Besides, I would like to stick with php as much as possible.

Or I could make it look like a user delete, but really just log a delete request and then delete the file myself.

Does anyone have some experience or advice about this?

Related question: under php security provisions at futurequest, can we write to a file (not mysql, a file) on the server at all?

Thanks,
Jon

I don't really now what to suggest for the first question... however:
Related question: under php security provisions at futurequest, can we write to a file (not mysql, a file) on the server at all? As long as PHP (aka "apache") has permission to write to a file, there should not be a problem. Note that to delete a file, you have to have permission to write to the directory, *not* the file. When deleting (or creating) a file, you are writing to the directory, not the file :)

Hope this helps.

------------------
Justin Nelson
FutureQuest (http://www.FutureQuest.net/index.php) Support

If I understand correctly:
I could create a log file: "FilesToBeDeleted.txt"
and give it permissions that allow php to write to it.

When the user 'deletes' a file, it will really just write
to a log file:
$user:$FileToBeDeleted:$IP:$timestamp:$whatever

Then I modify the directory scanning script to read this file and pretend that the a file is gone if it is listed on FilesToBeDeleted.txt.

Then, at my leasure, I delete the file myself.

This way, users never get real delete authority.

Any obvious and avoidable dangers here?

Jon