Unable to delete images from directory created by PHP. PHP issue vs apache security issue

Dani235lCronk
July 18, 2018
218 views
0 votes
2 Answers

I’ve written code for referring providers to upload images and documents to our site during the referral process. The script works, the directory is created, the image is renamed and uploaded. My issue is that I cannot physically delete the files (using Filezilla and Dreamweaver).

Could this be an issue with the script or would this be an issue with something in Apache setup?

I had thought to try and add something like this but it uploads the file but the $img_file does not get copied to the database and when I view the chmod settings for the image they’re set at 644, so clearly the below snippet isn’t working as expected.

       // rename uploaded file
        $img_file = chmod("$UMNCaseNo . '_' .$Pet_Name . '_' .$ClientName . '_' . rand(1000000000,1000000000000).".".$imgExt", 755);

Note: I know that there are two portions to the script, 1 with this and 1 without. I’ve tried it both ways.

I am not able to change the chmod settings in Filezilla, which leads me to believe that there is maybe something with the Apache settings?

My script is:

<?PHP
ini_set('display_errors', 1);
ini_set('display_startup_errors', 1);
error_reporting(E_ALL);

mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);

$mysqli = new mysqli("xxx", "xxx", "xxx", "xxx");
$mysqli->set_charset("utf8");
$mysqli->query("SET NAMES 'utf8'");

if (mysqli_connect_error()) { echo mysqli_connect_error(); exit; }

// check to make sure the form was submitted 
if (isset($_POST['Upload'])){

// derm form ID 
if(isset($_POST['dermdvmID']))
   {
    $id = $_POST["dermdvmID"];
   }    
else {
    $id = NULL;
 }  

// PA or Case Number    
if(isset($_POST['UMNCaseNo']))
   {
    $UMNCaseNo = $_POST["UMNCaseNo"];
   }    
else {
    $UMNCaseNo = $_POST["dermdvmID"];
 }

// Client Name  
if(isset($_POST['ClientName']))
   {
    $ClientName = $_POST["ClientName"];
   }    
else {
    $ClientName = NULL;
 }  

// Patient Name 
if(isset($_POST['Pet_Name']))
   {
    $Pet_Name = $_POST["Pet_Name"];
   }    
else {
    $Pet_Name = NULL;
 }      

      // Image File Information
      $imgFile = $_FILES['file']['name'];
      $tmp_dir = $_FILES['file']['tmp_name'];
      $imgSize = $_FILES['file']['size'];

      // Upload to Directory
      $upload_dir = '/xx/xx/xx/xx/public/dermatology/files/' .$UMNCaseNo . '_' .$Pet_Name . '_' .$ClientName . '/'; // upload directory

      // Check to see if the Directory already exists. If not, create the directory and give settings 0777
       if (!is_dir('/xx/xx/xx/xx/public/dermatology/files/' .$UMNCaseNo . '_' .$Pet_Name . '_' .$ClientName . '/')) {
        mkdir('/xx/xx/xx/xx/public/dermatology/files/' .$UMNCaseNo . '_' .$Pet_Name . '_' .$ClientName . '/', 0777, TRUE);

       }

       // Get file extension
       $imgExt = strtolower(pathinfo($imgFile,PATHINFO_EXTENSION)); // get file extension

       // valid file extensions
       $valid_extensions = array('jpeg', 'jpg', 'png', 'gif', 'tif', 'bmp', 'dicom', 'dcm', 'pdf', 'doc', 'docx', 'xls', 'xlsx' ); // valid extensions

       // rename uploaded file
        $img_file = chmod("$UMNCaseNo . '_' .$Pet_Name . '_' .$ClientName . '_' . rand(1000000000,1000000000000).".".$imgExt", 755);        

       // allow valid file formats
       if(in_array($imgExt, $valid_extensions)){   
        // Check file size '15MB'
        if($imgSize < 1500000)    {
         move_uploaded_file($tmp_dir,$upload_dir.$img_file);
        }
        else{
         $errMSG = "Sorry, the file you are trying to upload is too large.";
        }
       }
       else{
        $errMSG = "Sorry, only JPG, JPEG, PNG, TIFF, GIF, BMP, DICOM, PDF, DOC, DOCX, TXT, XLS, & XLSX files are allowed.";  
       }

$sql = "INSERT INTO tbl_dermatology_rdvm_attachments (dermformID, UMNCaseNo, ClientName, PatientName, file, original_filename, date_uploaded) VALUES (?,?,?,?,?,?, NOW())";

$stmt = $mysqli->prepare($sql);
$stmt->bind_param("ssssss", $id, $UMNCaseNo, $ClientName, $Pet_Name, $img_file, $imgFile ); // bind variables

if ($stmt->execute()){

        $attachID = $stmt->insert_id;

        header('Location: the link goes here', 
            TRUE, // rewrite existing Location header
            302  // set status code 
                   );
    }

 else {
        echo "Something went wrong with the upload. Please try again.";

  $stmt->close();

} 
     }

// check to make sure the form was submitted for upload a new image
if (isset($_POST['Upload2'])){

// derm form ID 
if(isset($_POST['dermdvmID']))
   {
    $id = $_POST["dermdvmID"];
   }    
else {
    $id = NULL;
 }  

// PA or Case Number    
if(isset($_POST['UMNCaseNo']))
   {
    $UMNCaseNo = $_POST["UMNCaseNo"];
   }    
else {
    $UMNCaseNo = $_POST["dermdvmID"];
 }

// Client Name  
if(isset($_POST['ClientName']))
   {
    $ClientName = $_POST["ClientName"];
   }    
else {
    $ClientName = NULL;
 }  

// Patient Name 
if(isset($_POST['Pet_Name']))
   {
    $Pet_Name = $_POST["Pet_Name"];
   }    
else {
    $Pet_Name = NULL;
 }      

      // Image File Information
      $imgFile = $_FILES['file']['name'];
      $tmp_dir = $_FILES['file']['tmp_name'];
      $imgSize = $_FILES['file']['size'];

      $upload_dir = '/xx/xx/xx/xx/public/dermatology/files/' .$UMNCaseNo . '_' .$Pet_Name . '_' .$ClientName . '/'; // upload directory

       if (!is_dir('/xx/xx/xx/xx/public/dermatology/files/' .$UMNCaseNo . '_' .$Pet_Name . '_' .$ClientName . '/')) {
            mkdir('/xx/xx/xx/xx/public/dermatology/files/' .$UMNCaseNo . '_' .$Pet_Name . '_' .$ClientName . '/', 0777, TRUE);
       }

       $imgExt = strtolower(pathinfo($imgFile,PATHINFO_EXTENSION)); // get file extension

       // valid image extensions
       $valid_extensions = array('jpeg', 'jpg', 'png', 'gif', 'tif', 'bmp', 'dicom', 'dcm', 'pdf', 'doc', 'docx', 'xls', 'xlsx' ); // valid extensions

       // rename uploading image
        $img_file = $UMNCaseNo . '_' .$Pet_Name . '_' .$ClientName . '_' . rand(1000000000,1000000000000) . ".".$imgExt;    

       // allow valid image file formats
       if(in_array($imgExt, $valid_extensions)){  

        // Check file size '15MB'
        if($imgSize < 1500000)    {
         move_uploaded_file($tmp_dir,$upload_dir.$img_file);
        }
        else{
         $errMSG = "Sorry, the file you are trying to upload is too large.";
        }
       }
       else{
        $errMSG = "Sorry, only JPG, JPEG, PNG, TIFF, GIF, BMP, DICOM, PDF, DOC, DOCX, TXT, XLS, & XLSX files are allowed.";  
       }

$sql = "INSERT INTO tbl_dermatology_rdvm_attachments (dermformID, UMNCaseNo, ClientName, PatientName, file, original_filename, date_uploaded) VALUES (?,?,?,?,?,?, NOW())";

$stmt = $mysqli->prepare($sql);
$stmt->bind_param("ssssss", $id, $UMNCaseNo, $ClientName, $Pet_Name, $img_file, $imgFile ); // bind variables

if ($stmt->execute()){
        // derm form ID 
        if(isset($_POST['dermdvmID']))
           {
            $id = $_POST["dermdvmID"];
           }    
        else {
            $id = NULL;
         }  

        header('Location: https://URL/public/dermatology/rdvm_upload_form_success.php?id='. $id,
      TRUE, // rewrite existing Location header
            302  // set status code 
      );
    }

 else {

        echo "Something went wrong with the upload. Please try again.";

  $stmt->close();

} 
     }

?>

Answers

Chosen as BEST ANSWER
- Dani235lCronk
- July 19, 2018 at 1:49 pm
- 0 votes
0
Adding the following code resolved my issue:
```
$oldmask = umask(0);

mkdir('/xx/xx/xx/xx/public/dermatology/files/' .$UMNCaseNo . '_' .$Pet_Name . '_' .$ClientName . '/', 0777, TRUE);

umask($oldmask);
```

(Edit)

- Joshua
- July 18, 2018 at 2:39 am
- 0 votes
0
Depending on who you use, your FTP user, (eg ftp) may not have permissions to edit/delete files created by the Web user, eg Apache is run by user httpd and ftp may not be part of the group/supercede user httpd.

Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.