Finding image file name and pass it to another page

Hi,
I have an admin area in my project that only the user who has admin privilege can access this page and edit site’s contents. One of those editing options is file delete option. An admin can see all the uploaded images as thumbnail and click on three dots above each of them and click on delete to delete it. I want to pass file name to a controller called delete.php. How can I find the file name associated to that specific image?
I load my thumbnails to admin page (image gallery project) by this code:

<div class="card-body">
   <div class="row"><img style="max-width: 100%;" src="<?php echo $root ?>/public/assets/uploadThumb/<?php echo $myrow['thumb'] ?>"></div>
</div>

Just pass the $myrow[‘thumb’] value to the controller as an argument. You can do that thru GET or even POST. And, in your controller that deletes, it can grab the thumb and delete it.

Seems like a lot of work to shell out the task to a second file. But, you can use GET to do that.

Thanks. I could retrieve the correct file name. I used this code for passing variable:

<a class="dropdown-item" href="<?php echo $root ?>/public/delete/index/?file=<?php echo $myrow['thumb'] ?>">Delete</a>

delete.php:

<?php
class Delete{
public function index($file){
$this->DeleteFile($file);
}
public function DeleteFile($file){
unlink("../public/assets/img/'$file'");
unlink("../public/assets/uploadThumb/'$file'");
}
}

I get this url address:
http://localhost/MyProject/public/delete/index/?file=f029lh1385.jpg

The following error is occured:

Fatal error : Uncaught ArgumentCountError: Too few arguments to function Delete

I use a router that can handle parameters. I changed my code:

<a class="dropdown-item" href="<?php echo $root ?>/public/delete/index/<?php echo $myrow['thumb'] ?>">Delete</a>

The error changed to this:

Warning : unlink(MyProject/public/assets/img/f029lh1385.jpg): No such file or directory in C:\xampp\htdocs\MyProject\app\controller\delete.php on line 10

Warning : unlink(MyProject/public/assets/uploadThumb/f029lh1385.jpg): No such file or directory in C:\xampp\htdocs\MyProject\app\controller\delete.php on line 11

The file address is correct but it gives error.

Well, first, I would not use HTML to show the file location. This could be a problem with hackers.
If you put the full address of the file location inside HTML, any viewer can see the address by looking
at the source of the page. Just have to right-click on the page and select view-source and it shows.
Any beginner hacker could then locate your folder that holds your files and delete all of them. Or, at the least, view and copy them all. Well, depending on how you set up the file permissions on that folder.

Next, you need to look at the URL you created, in this case:
MyProject/public/assets/img/f029lh1385.jpg
and see if that file actually exists. In your previous post, you talk about this URL:
localhost/MyProject/public/delete/index/?file=f029lh1385.jpg

These do not match up. You need to know where this file is, check if it exists, then delete it if it does exist. You can not delete a file that does not exist. You php code should check if it is there first.

My actual file is:
C:\xampp\htdocs\MyProject\public\assets\img\f029lh1385.jpg
I think I have entered the address correctly.
You said I should not use HTML to locate the file. What is the best way to do this task? What if I use SESSION to check admin in delete.php file?

Well, yes, the SESSION would be more secure. PHP can not be seen by the user. It stays on the server. You will never see the live PHP code in a displayed in the browser. So, if you use the SESSION, it is secure compared to using the full address of the file. But, you also are using a link not a button. Therefore, you need to still show the file you are calling. Again, not secure. Is there any special reason why you are using links to handle PHP processing? Why not just use forms/buttons/etc to handle the code?

If you use an anchor tag (link) in HTML < a href=… you expose where the process is sent to. It lets viewers of your page to see your filenames and where they are in your website. This is not a safe way to handle it. But, if you use a form that posts back to itself and then uses PHP on the server to deal with the button pressed, the user can not see where it goes. Normally, for deleting files, you would just do it in the PHP handler for the page. In the form tag just leave the action blank and it will post to itself. Then, check for buttons pressed and delete the file if requested. You do this before you display the data for the page. In this way the user can never see what is happening as it is on the server and therefore it is secure.

Of course, if this admin page has a solid log in with username and password and only you as the admin ever sees it, then perhaps this does not matter. Not sure if all this helps.

I checked and saw that the user can see direct address of my images through Inspect in Chrome. The following code that I use for reading images from MySQL, shows direct file addresses and anybody who knows that address can use that link to download it. Using SESSION can limit this but if an allowed user send those links to lots of people, they can download it even without signing up. I used .htaccess file in the image folder to prevent Indexing files. But how can I prevent direct file download?
The following code turns to a direct link:
<div class="row"><img style="max-width: 100%;" src="<?php echo $root ?>/public/assets/uploadThumb/<?php echo $myrow['thumb'] ?>"></div>

Well, there are many ways to protect files. One simple way is to change your permissions on the folder so that the public and not view the files. Then, have the website show them. This would force all viewers to use your website only when they want to view the files. On servers, folders can be set using permissions to allow the server to access the files, allow your programs to access the files and to allow everyone to access the files. The permissions can also be set to not allow deleting files, not to allow creation of files, etc.

You need to know the logic of what you are deciding to do with these files. If you want a user to be able to pass on links to images, you can’t protect them completely. You would need to set the permissions to allow viewing, not creating or deleting. If you want to force users to use your website to view them, you would set the permissions not to allow viewing, basically lock up the folder completely except for your PHP access to it from the server.

Since you are using links, you must want others to be able to pass the address around. Otherwise you would not use links, but, use buttons instead. You want to prevent direct file downloads, so, don’t use links. Use buttons to display the thumbs on your webpage. Then, lock up the folder to only allow access by your own code.

I searched and found the following code that is written in .htaccess file and it prevents image files from direct access:
Options -Indexes

#block access to image files - files with jpg/gif/png/jpeg extensions

<FilesMatch "\.(jpg|gif|png|jpeg)$">

Order Allow,Deny

Deny from all

</FilesMatch>

The problem is that my images cannot be loaded when I click on them (cannot be loaded even by code).
I use tag for reading images from MySql and img folder. How can I use button?? Do you mean that I should use thumbnails in tag and load full images an another page by pressing a button?

That denies all access to the files with certain extensions, but, you could just use the indexes instead like this: Options -Indexes
This would lock out everyone from the site from accessing it directly using a URL. PHP will still work with all the files. This does mean that you yourself can not access the files directly which makes it a little harder to debug.
OR, without using .htaccess, you can just change all of the folders to 750 using CHMOD command or your FTP client. This lets the owner and PHP execute files and use data files, but, does not let outside users use them. Either way should work.