Delete Child Node From XML File

[hobbiton73]

I wonder whether someone may be able to help me please. This script below is called upon a button click from one of my HTML pages and it's purpose is to delete images stored on my server and the associated child node from a XML file.

<?phpif (!empty($_POST)) {	$image = $_POST['image']; 	if (file_exists($image)) {		unlink($image);	} 	$doc = new DOMDocument;	$doc->load('UploadedFiles/' . '1' . '/' . '1' . '/' . 'files.xml');   	// iterate over all tags named <file>	$list = $doc->getElementsByTagName('file');	foreach ($list as $domElement) {		// check whether attribute 'source' equals $image		if ($domElement->getAttribute('source') == $image) {			// remove the node			$domElement->parentNode->removeChild($domElement);		}	} 	echo $doc->saveXML();}?>

The problem I'm having is that I can delete the physical image, but I'm unable to delete the node from the XML file. I know that the file path is correct because I've used a XPath 'search for' script and I can successfully see the contents of the file. So I know that this isn't the issue. In addition to the above, I've also tried the following:

<?php if (!empty($_POST)) {$image = $_POST['image']; if (file_exists($image)) {unlink($image);}} $searchString = 'image'; $doc = new DOMDocument;$doc->preserveWhiteSpace = FALSE;$doc->load('UploadedFiles/' . '1' . '/' . '1' . '/' . 'files.xml');  $xPath = new DOMXPath($doc);$query = sprintf('//files[./source[contains(., "%s")]]', $searchString);foreach($xPath->query() as $node) {$node->parentNode->removeChild($node);}$doc->formatOutput = TRUE;echo $doc->saveXML();?>

This is an extract of my XML file: <?xml version="1.0" encoding="utf-8" ?>- <files><file name="AC-0003749.jpg" source="AC-0003749.jpg" size="3873" originalname="AC-0003749.jpg" description="No description provided" userid="1" locationid="1" /></files> Unfortunately this doesn't delete the node either. I've been working on this for quite some time and I'm not really sure what to do next. i just wondered whether someone may be able to look at this please and let me know where I'm going wrong. Many thanks and regards

Edited May 17, 2012 by hobbiton73

[justsomeguy]

Where is the code going wrong? Is it not finding the node in the file? Have you checked for that? Also, there's a major security issue here:

$image = $_POST['image'];if (file_exists($image)) {   unlink($image); }

People can use that script to delete any file on your server that PHP has access to, that's not a good thing. You should be validating that filename to make sure it's a file that they should be allowed to delete.

[hobbiton73]

Hi, many thanks for taking the time to reply to my post. If I'm honest, I very new to PHP and XML, so I'm not sure where the problem is. I don't receive any specific eror message. I know that the file is there, I suspect that it's not reading it. I've added an extract of my xml file in my original post. In respect of the security, that's dealt with by the form which initiates the delete sequence. A user can only see their own images. Kind regards

[justsomeguy]

If it's not able to read the file then that would be an error. Add this to the top of your code to make sure it's showing you all error messages: ini_set('display_errors', 1);ini_set('html_errors', 1);error_reporting(E_ALL);

In respect of the security, that's dealt with by the form which initiates the delete sequence. A user can only see their own images.

That's not security. I can use any number of tools to create my own post request to any page on your server with any data I want, I don't need to use your form. If I make a post request to that PHP script and pass a parameter called "image" that is set to "/etc/passwd", and if PHP has access to that file (which it probably wouldn't, but just an example), then it's going to delete it and screw up your server.

[hobbiton73]

Hi, thank you for replying so quickly. I've added the code to the top of my script. Please forgive me for asking, I'm a real beginner at this, (you can probably tell) but I don't receive any errors once I've selected my image to delete. The physical image is deleted from the server with the associated child node still present in the XML file. Could you perhaps please explain whether there is another to check this. I also appreciate your comments re. the security. Another beginners mistake. I'll need to take a look at this. Many thanks and kind regards

[justsomeguy]

The next step would be adding statements to have that code tell you what it's doing. e.g.:

if (!empty($_POST)) {		$image = $_POST['image']; 		if (file_exists($image)) {				echo 'deleting ' . $image . '<br>';				unlink($image);		} 		$doc = new DOMDocument;		echo 'opening ' . 'UploadedFiles/' . '1' . '/' . '1' . '/' . 'files.xml' . '<br>';		$doc->load('UploadedFiles/' . '1' . '/' . '1' . '/' . 'files.xml'); 		// iterate over all tags named <file>		$list = $doc->getElementsByTagName('file');		echo 'got ' . count($list) . ' file tags<br>';		foreach ($list as $domElement) {				echo 'checking ' . $domElement->getAttribute('source') . '<br>';				// check whether attribute 'source' equals $image				if ($domElement->getAttribute('source') == $image) {						// remove the node						echo 'found match, removing node<br>';						$domElement->parentNode->removeChild($domElement);				}		} 		echo $doc->saveXML();}

Note that the saveXML method only returns a string, it does not update the file. You need to either get that string and write it back to the file, or the save method will save it to a file. http://www.php.net/m...cument.save.php

[Guest So Called]

$image = $_POST['image']; // possible debug code:// echo('image = ' . $image)// $image = 'filename.ext'; if (file_exists($image)) {   unlink($image);}

If this doesn't work, how about putting in an echo('image = ' . $image) to see what it's trying to delete? And how about trying unlink('filename.ext') ? And how about trying $image = 'filename.ext' just before the if? As far as form security, keep on mind that an attacker can write their own form with anything they want and put it on their own server, and specify action="your_site.com" to get his form to be processed by your form processor. You have to filter everything that is submitted on the form.

Edited May 17, 2012 by So Called

[hobbiton73]

Hi both. Thnak you to both of you for taking the time tio help me with this. After quite a bit of work, and some invaluable help from a family member I now have a working solution. The main reason why I couldn't get the variables to work is that the 'image' value being pulled from the gallery page, was actually the whole fielpath and not just the filename, so I've had to strip out the filename using a 'basename' command. Kind regards