Danny 🎠 6 days ago
I LOVE THE NEW DESIGN SO MUCH AAAAAAAAAAH
nick 🤞 6 days ago
the new designs are finally here! still a few rough edges here and there, but we'll smooth them out. if you spot any bugs, tell us <3

Deleting folders using PHP

Written by nick • 26.05.2025
#deletingfolders

PHP lets you delete folders using the rmdir() function. It's simple, but it only works on folders that are completely empty. If the folder contains any files or subfolders, you'll need to delete those first — we'll cover how to do that at the end of this tutorial.

1. Basic folder deletion

This is the most basic way to delete a folder in PHP:

<?php
rmdir('empty_folder');

This will delete the folder called empty_folder, but only if it exists and is empty. If the folder still contains anything, PHP will show a warning.

2. Add safety checks

It's important to check that the folder exists and really is a directory before trying to delete it:

<?php
$folder = 'empty_folder';

// Check if the folder exists and is a directory
if (is_dir($folder)) {
    // Try to delete the folder
    if (rmdir($folder)) {
        echo 'Folder deleted.';
    } else {
        echo 'Failed to delete folder.';
    }
} else {
    // Folder does not exist or is not a directory
    echo 'Folder does not exist or is not a directory.';
}

3. Best Practices

- Always check if a folder actually exists before trying to delete it.
- Be careful of directory traversal: attackers might try to use ../../ in the path to break out of the intended folder and delete something important.
- Use realpath() to resolve the actual filesystem path and make sure it's inside a known safe folder (like uploads/).
- Always check that you're deleting a folder, not a regular file.

4. Full example following best practices

Note: You only need this level of safety (like checking realpath()) if you're deleting files or folders based on user input — for example, from a URL like delete.php?folder=example. This protects against path traversal and accidental access to sensitive areas.

If you're only deleting files or folders that your own code controls and the paths are always safe, you can use the simpler version shown above. 👀

<?php
$folder = 'user_folder';

// Resolve base path to avoid path traversal
$realBase = realpath(__DIR__);
$realPath = realpath($folder);

// Ensure folder is within allowed path
if ($realPath && strpos($realPath, $realBase) === 0) {
    // Check if the folder exists and is a directory
    if (is_dir($realPath)) {
        // Try to delete the folder
        if (rmdir($realPath)) {
            echo 'Folder successfully deleted.';
        } else {
            echo 'Folder is not empty or could not be deleted.';
        }
    } else {
        echo 'Not a valid folder.';
    }
} else {
    // Folder is outside the allowed path or doesn't exist
    echo 'Invalid folder path.';
}

5. Bonus: Delete folders with content (recursively)

If a folder has files or subfolders inside, rmdir() won't work on its own. You need to delete everything inside it first. This function handles that for you:

<?php
function deleteFolderRecursive($path) {
    // Check if the folder exists and is a directory
    if (!is_dir($path)) return false;

    // Go through every file and subfolder
    $items = scandir($path);
    foreach ($items as $item) {
        if ($item === '.' || $item === '..') continue;

        $fullPath = $path . DIRECTORY_SEPARATOR . $item;
        if (is_dir($fullPath)) {
            deleteFolderRecursive($fullPath);
        } else {
            unlink($fullPath); 
        }
    }

    // Finally delete the now-empty folder
    return rmdir($path);
}

You can place it in a functions.php file and include that file wherever you need to use the function.

Here's how to use it in a basic situation, similar to earlier examples:

<?php
include('functions.php');

$folder = 'empty_folder';

// Check if the folder exists and is a directory
if (is_dir($folder)) {
    // Try to delete the folder (even if it has contents)
    if (deleteFolderRecursive($folder)) {
        echo 'Folder deleted.';
    } else {
        echo 'Failed to delete folder.';
    }
} else {
    echo 'Folder does not exist or is not a directory.';
}

Note: If you're deleting folders based on user input (like a URL parameter), you should use extra safety checks, like this:

<?php
include('functions.php');

$target = 'user_folder';

// Resolve base path to avoid path traversal
$realBase = realpath(__DIR__);
$realPath = realpath($target);

// Ensure folder is within allowed path
if ($realPath && strpos($realPath, $realBase) === 0) {
    if (is_dir($realPath)) {
        if (deleteFolderRecursive($realPath)) {
            echo 'Folder and all contents deleted.';
        } else {
            echo 'Failed to delete folder contents.';
        }
    } else {
        echo 'Not a valid folder.';
    }
} else {
    echo 'Invalid folder path.';
}

This version includes extra safety steps to protect against accidental deletion or directory traversal attacks when accepting paths from users.