Msg#: 4417690 posted 2:05 pm on Feb 15, 2012 (gmt 0)
be very careful when using the value of $_GET['file'] to unlink something.
If you loosen up the file permissions enough to allow PHP to delete arbitrary files, then a malicious user could unlink things you don't want unlinked. Protecting against that won't be trivial; you'll likely need to go deep into file ownership and permissions.
I assume you probably need to look at the file ownership. PHP doesn't have permission to unlink a file unless it's owned by the PHP user, which is sometimes "www-data", or sometimes something else. it depends on your server config and what flavour of Linux you're using.