Hi, first of all you need a server connect form with POST variables instead of how you are doing it currently with GET vars.
Using GET and onclick is not secure as using a form, and anybody can run the action and delete everything (as you said).
Check this video please: Delete Database Records it shows how to properly delete record.
In order to delete the related file - before the record delete step add:
-
database query (files table)
-
repeat (database query as expression)
- inside repeat add remove file step. You get the path/name from the repeat
-
database delete at the end, after repeat.