Unlink .XML file on submit

Question

I've asked this question before but approached a different solution/version thanks to this.

To grant some insight on the webapplication, I'll quote it here:

As for an assignment I created a filter that modifies a Config that's connected to an API which prints out Order files. The web application has the option to save the modified Orderlist with a date and number added to it.

The output of the modified order list:

Order 25-01-21 Versie 1.xml
Order 26-01-21 Versie 1.xml
Order 26-01-21 Versie 2.xml
Order 26-01-21 Versie 3.xml
Order 26-01-21 Versie 4.xml

I've been asked to add a tool that allows him to delete a file, if he wishes to. With some struggling, looking around and an amazing approach that's been given in the question I asked before I came to this:

<?php
$dir    = '..\api-ivolved\s_orderlist';
$ar=glob($dir); // Change this input 
foreach(glob("*.xml") as $filename) {
    echo "<input type=\"checkbox\" name=\"files[]\" value=".$filename."/>" . htmlspecialchars($filename) . "<br />"; }

if (isset($_GET['delete'])){

    // Make sure files are checked/marked for deletion. 
    if (!empty($_GET['files[]'])) {
 
        // Loop through each file and delete
        foreach ($_GET['files[]'] as $file) {
            unlink($file);      
        } 
    }
 }
?>

<form class="deleteFile" method="get" enctype="multipart/form-data">
<br />
<strong> Delete checked files? </strong> <input type="checkbox" name="delete" value="1"/><br/>
<input type="submit" id="delete" value="Delete file"/> 
</form>

Now the issue is that after I check a file checkbox and confirmation to delete the file, the document still remains in the folder. Can someone point out or give me an example how I can fix this issue?

`$_GET['files']` doesn't exist. There's no `name="files"` in your form. (There's probably at least one _outside_ your form, judging by your echo statements. Fields outside forms aren't submitted...) — ADyson, Jan 27 '21 at 10:20
P.S. `enctype="multipart/form-data"` isn't necessary when you aren't uploading files. — ADyson, Jan 27 '21 at 10:22
@ADyson And thank you for the notice! I still had the enctype added from my previous attempt where I had a input file, so I'll be removing that. C: — Talon, Jan 27 '21 at 10:25
What do you mean `even adding that` exactly? It should still be `$_GET['files']` on the PHP side...because it's an array. Like I said, the main problem is that the inputs are _outside your form_. They need to be echoed _within the `
` tag_ — ADyson, Jan 27 '21 at 10:32
Right, that does make sense. Do I echo the form with the same name or... how do I add it to the form? — Talon, Jan 27 '21 at 10:35
You literally just move the checkboxes inside the form tag, the same as your other fields are. That's all. I've posted an answer below, for clarity, with a couple of other improvements as well. — ADyson, Jan 27 '21 at 10:38

ADyson · Accepted Answer · 2021-01-27T10:45:51.353

The main problem here is that your files checkboxes are outside your <form>. Fields outside a <form> in HTML aren't submitted by the browser. (There is a way around that in HTML5 but it wouldn't really be necessary here.)

Also, semantically and practically it would make more sense to do this using POST. And on the PHP side you should still be searching the POST array for files not files[].

Here's a version which should work better:

<?php
if (isset($_POST['delete'])){

    // Make sure files are checked/marked for deletion. 
    if (!empty($_POST['files'])) {
 
        // Loop through each file and delete
        foreach ($_POST['files'] as $file) {
            unlink($file);      
        } 
    }
 }
?>

<form class="deleteFile" method="post">

    <?php
    $dir = '..\api-ivolved\s_orderlist';
    $ar = glob($dir); // Change this input 

    foreach(glob("*.xml") as $filename) {
        echo "<input type=\"checkbox\" name=\"files[]\" value=\"$filename\"/>" . htmlspecialchars($filename) . "<br />"; 
    }
    ?>

    <br />
    <strong> Delete checked files? </strong> 
    <input type="checkbox" name="delete" value="1"/>
    <br/>
    <input type="submit" id="delete" value="Delete file"/> 
</form>

P.S. Make sure you have watertight security on this because a bot or a malicious user could cause havoc with such a feature, where the client can specify the full path of any file to delete. The form should be protected by authentication, and the webserver should only have permission to delete files from the exact locations you want to allow.

It still shows this problem sadly `Warning: unlink(Order): No such file or directory in C:\xampp\htdocs\php-api\api-ivolved\s_orderlist\testTest.php` - But your fix has definitely showed some result, I just don't know how I can fix this problem — Talon, Jan 27 '21 at 10:51
Ok so that shows it's processing the results. Just maybe the content of what's submitted isn't right. You need to check what exact value is being submitted and placed in `$file` then, and see if that path really exists in your computer or not. As a simple test put `var_dump($file);` inside the `foreach ($_POST['files'] as $file) {` loop and see what it prints. — ADyson, Jan 27 '21 at 10:56
P.S. Did you note carefully the change I made to your `echo " — ADyson, Jan 27 '21 at 10:57

Unlink .XML file on submit

1 Answers1