从网址直接访问保护PDF文档 [英] Protect PDF docs from being directly accessed in URL

问题描述

我要保护一个PDF文件被直接挂钩，而是有我登录的用户才能访问它。我目前进入到一个JavaScript函数的职位一种形式的链接：      $（'nameofdoc'）的SetProperty（'值'，DOC）。      的document.getElementById（'sendme）提交（）;

I want to protect a pdf file from being directly linked but instead have my logged in users be able to access it. I have a link which currently goes to a javascript function which posts a form: $('nameofdoc').setProperty('value',doc); document.getElementById('sendme').submit();

在这里sendme是形式的名称和nameof DOC我想要显示的文档的索引。

where sendme is the name of the form and nameof doc the index of the document I want to display.

这则进入到PHP文件：

This then goes to a php file:

 $docpath = $holdingArray[0].$holdingArray[1];

 $file = $holdingArray[0]; //file name
 $filename = $holdingArray[1]; //path to the file]
 header( 'Location:'.$docpath ) ;
 header('Content-type: application/pdf');
 header('Content-Disposition: attachment; filename="'.$filename  . '"');
 readfile($filename)

这一切工作正常，它加载了文件，输出的PDF。我不能做的是保护目录的直接链接 - 即www.mydomain.com/pathToPdf/pdfname.pdf

This all works fine it loads up the file and outputs the pdf. What I can't do is protect the directory from direct linking - ie www.mydomain.com/pathToPdf/pdfname.pdf

我想过使用的.htaccess保护的目录，但它是一个共享的主机，所以我不能确定安全反正当我尝试，我不能让它的工作。

I've thought of using .htaccess to protect the directory but it's on a shared host so I'm not sure about the security and anyway when I've tried I can't get it to work.

任何帮助将是巨大的，因为这是试图解决这一问题我的第四天。

Any help would be great since this is my fourth day of trying to fix this.

感谢

更新

我有很大的帮助谢谢你，但我还没有应用。

I've had a lot of help thank you but I'm not quite there yet.

我有一个.htaccess文件，现在启动时，PDF是从目录请求另一个PHP文件：

I've got an .htaccess file that now launches another php file when a pdf is requested from the directory:

 RewriteEngine on
 RewriteRule ^(.*).(pdf)$ fileopen.php

在fileopen.php文件lauches它无法打开PDF

When the fileopen.php file lauches it fails to open the pdf

 $path = $_SERVER['REQUEST_URI'];
 $paths = explode('/', $path);
 $lastIndex = count($paths) - 1;
 $fileName = $paths[$lastIndex]; 

 $file = basename($path);

 $filepath = $path;

 if (file_exists($file)) {
     header( 'Location: http://www.mydomain.com'.$path ) ;
     header("Content-type: application/pdf");
     header("Content-Disposition: attachment; filename=".$file);
     readfile($filepath);

 }else{
     echo "file not found using path ".$path." and file is ".$file;
 }

的输出是 使用路径/documents/6/Doc1.pdf和文件未找到文件是Doc1.pdf

The output is file not found using path /documents/6/Doc1.pdf and file is Doc1.pdf

但该文件确实存在，并且是该direcotry - 任何想法??

but the file does exist and is in that direcotry - any ideas??

好吧，我很高兴向大家报告，雅罗斯拉夫真的帮我整理出来的问题。他的方法效果很好，但它是棘手的所有目录的东西一字排开。最后，我花了几个小时播放有关与组合来得到它的工作，但原理他给了效果很好。谢谢

OKAY I'm happy to report that Jaroslav really helped me sort out the issue. His method works well but it is tricky to get all the directory stuff lined up. In the end I spent a few hours playing about with combinations to get it working but the principle he gave works well. Thanks

推荐答案

最好的办法是，以保护文件夹htaccess的，正如你所提到的。所以你把PDF /文件夹中所有的PDF文件，并​​在同一个PDF文件夹中了.htaccess文件：

The best way would be to protect that folder with htaccess, as you have mentioned. So you put all PDFs in pdf/ folder, and in the same pdf folder you out .htaccess file:

RewriteEngine on
RewriteRule .* your-php-script.php

现在没有文件可以通过URL此文件夹中访问。每个请求的每个文件此文件夹中会返回你的-PHP-script.php的脚本返回。在您的-PHP-script.php的，你做这样的事情：

Now no files can be accessed by url in this folder. Every request to every file in this folder will return what your-php-script.php script returns. In your-php-script.php you do something like this:

//Check if user has right to access the file. If no, show access denied and exit the script.
$path = $_SERVER['REQUEST_URI'];
$paths = explode('/', path);
$lastIndex = count($paths) - 1;
$fileName = $paths[$lastIndex]; // Maybe add some code to detect subfolder if you have them
// Check if that file exists, if no show some error message
// Output headers here
readfile($filename);

现在，如果用户打开domain.com/pdf/nsa-secrets.pdf Apache将运行-PHP-script.php的。脚本将变量$ _ SERVER ['REQUEST_URI']设置为domain.com/pdf/nsa-secrets.pdf。你把它输出的最后部分（文件名）和用户（或没有）。

Now if user opens domain.com/pdf/nsa-secrets.pdf Apache will run your-php-script.php. Script will have variable $_SERVER['REQUEST_URI'] set to "domain.com/pdf/nsa-secrets.pdf". You take the last part (filename) and output it to a user (or not).

这将阻止任何人通过了解URL从互联网直接访问文件。如果有人直接访问服务器上的文件，这不会阻止他们。在另一方面，我认为，任何共享的主机阻止用户获得其他用户的文件。只有这样，才能做到这一点是破解服务器以某种方式。但后来我们变得非常偏执，如果可能的情况下给你，你不应该使用共享主机摆在首位。

This will stop anyone from accessing files directly from the internet by knowing URL. If someone has direct access to files on your server, that will not stop them. On the other hand, I think any shared hosting stops users from getting files of other clients. Only way to do it is to hack the server in some way. But then we are getting very paranoid and if that may be a case for you, you shouldn't use shared hosting in the first place.

如果你不能让htaccess的工作，你可以尝试进行模糊处理的文件，所以这将是很难发现他们外面有人。例如从mySecretData.pdf更改文件djjsdmdkjeksm.pdf。这可能有助于一点点。

If you cannot make htaccess work, you can try to obfuscate files, so it would be difficult to spot them for someone outside. For example change file from mySecretData.pdf to djjsdmdkjeksm.pdf. This may help a little bit.

这篇关于从网址直接访问保护PDF文档的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！