-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathremoveFiles.php
80 lines (78 loc) · 1.35 KB
/
removeFiles.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
<?php
// var_dump($_POST);
if(isset($_POST["formid"])){
if(isset($_POST["folder"])){
$formid = injection($_POST["formid"]);
$folder = injection($_POST["folder"]);
$path = DIRECTORY_SEPARATOR."tmp".DIRECTORY_SEPARATOR.injection($formid).DIRECTORY_SEPARATOR.injection($folder).DIRECTORY_SEPARATOR;
if(!realpath($path)){
exit("Please check the file path");
}
elseif(stripos(__DIR__,$path) != 0){
exit("Please check the file path");
}
else{
delete_files($path);
}
return true;
}
}
else{
exit("Please check the post method");
}
function delete_files($target){
if(is_dir($target)){
$files = glob($target."*",GLOB_MARK);
foreach ($files as $file) {
delete_files($file);
}
rmdir($target);
}
elseif(is_file($target)){
unlink($target);
}
}
function injection($str)
{
$bad = array(
'<!--', '-->',
"'", '"',
'<', '>',
'&', '$',
'=',
';',
'?',
'/',
'!',
'#',
'%20', //space
'%22', // "
'%3c', // <
'%253c', // <
'%3e', // >
'%0e', // >
'%28', // (
'%29', // )
'%2528', // (
'%26', // &
'%24', // $
'%3f', // ?
'%3b', // ;
'%3d', // =
'%2F', // /
'%2E', // .
// '46', // .
// '47' // /
);
do
{
$old = $str;
$str = str_replace($bad, ' ', $str);
if(stripos($str, '4647'))
{
$str = str_replace('4647', '', $str);
}
}
while ($old !== $str);
return $str;
}