获取私人文件或在HTML页面中显示私人图像 [英] Gettings private files or showing private images in a HTML page

问题描述

我想知道如何发布私人用户文件，但仅限于该用户可以访问的方式。我的意思是，登录后，会有许多文件只有用户登录才能访问。例如，一个图像采集或者一个mp3文件可以在html5播放器中播放或者下载一个pdf文件。但关键是用户登录是文件的所有者，他是唯一可以获得这些文件的人。

我的问题是，在HTML代码中，我需要提供图片属性中的链接或html5 mp3播放器中的链接或文件链接以下载它。此链接必须指向一个公共目录，以便每个人都可以访问。

我的问题是¿如今的安全性或功能性如何？

另一个例子。在Facebook中，您拥有自己的私人图片，即使您将任何私人图片的链接全部链接给朋友，除非您将该图片标记为公开或其他类似内容，否则他无法看到它。

非常感谢！

====================== Posible solution =====================

我一直在研究人们给我的想法，感谢球员......我做了任何尝试，例如，我去了Facebook，并得到了我的私人图像的链接（通过右键点击并复制图像链接...）我把该链接放在其他浏览器和登录后脸书，我可以在浏览器中看到图片，所以我们访问的时候文件必须公开。其他的事情是我们隐藏名称文件或类似的东西。

我建议：

• 用户文件必须位于具有唯一引用的文件夹中，作为只能知道自己用户的名称。所以通过将这个引用存储在一个数据库中，比如密码......你有这个想法......有时，我们需要有公用文件访问受限，我的意思是，我希望人们可以在html5播放器或视频中播放mp3，但我不想让他们下载它。在这种情况下，我们可以这样做：
  - 混淆代码使得很难找到完整的链接
  - ？？/ p>

==============请给予更多的意见，以便我可以总结飞快=========

感谢：
-icecub
-Darren H
-Rohit Gupta

解决方案 DIV>

好的。由于我对代码不熟悉，因此我将使用一些通用代码作为示例。所有你需要做的就是调整它。

首先是一个非常基本的html，它将上传视频/ mp3 /图片或其他内容：

 < form name =uploadaction =method =POSTENCTYPE =multipart / form-data> 
选择要上传的文件：< input type =filename =userfile> 
< input type =submitname =uploadvalue =upload> 
< / form> 
  

接下来你需要准备你的数据库表：

  CREATE TABLE`uploads`（
`id` INT（11）NOT NULL AUTO_INCREMENT，$ b $``userid` INT（11）NOT NULL，
`name` VARCHAR（64）NOT NULL，
`original_name` VARCHAR（64）NOT NULL，
`mime_type` VARCHAR（20）NOT NULL，
 PRIMARY KEY（`id`） 
）ENGINE = InnoDB AUTO_INCREMENT = 0 DEFAULT CHARSET = utf8; 
  

现在是文件上传部分。在这一点上，我应该提到，我并不擅长MySQLi的formilliar。为此，我在这个例子中使用了PDO。如果您愿意，您应该可以将其调整为MySQLi：

 <？php 
 session_start（）; 
＃我的PDO类。一个链接可以在这个答案的底部找到
 require_once'pdo.class.php'; 
 
＃如果未登录，发送用户返回登录
 if（！isset（$ _ SESSION ['your_login_userid_here']））{
 Header（Location：your_login.php）; 
 
 $ b $＃如果文件上传
 if（isset（$ _ POST ['upload']））{
 $ uploaddir ='uploads'; ＃您的上传目录
 
函数tempnam_sfx（$ path，$ suffix）{
 do {
 $ file = $ path。/。mt_rand（）。$ suffix; 
 $ fp = @fopen（$ file，'x'）; 
} 
 while（！$ fp）; 
 
 fclose（$ fp）; 
返回$ file; 
 
 
＃使用正则表达式来检查允许的MIME类型
 $ pattern =＃^（image / | video / | audio /）[^ \s\\ \
<] + $＃i的; $！
 $ b if（！preg_match（$ pattern，$ _FILES ['userfile'] ['type']）{
 die（只允许图像，视频和音频文件！ 
 
 $ b $ uploadfile = tempnam_sfx（$ uploaddir，.tmp）; 
 
 if（move_uploaded_file（$ _ FILES ['userfile'] ['tmp_name' ]，$ uploadfile））{
 
＃定义数据库配置
 define（DB_HOST，localhost）; 
 define（DB_USER，username）; 
 define（DB_PASS，password）; 
 define（DB_NAME，dbname）; 
 
 $ db =新数据库; 
 
 $ db-> query（INSERT INTO uploads SET userid =：id，name =：filename，original_name =：oriname，mime_type =：mime）; 
 
 $ db-> bind ：userid，$ _ SESSION ['your_login_userid_here']）; 
 $ db-> bind（：filename，basename（$ uploadfile））; 
 $ db-> bind（ oriname，basename（$ _ FILES ['userfile'] ['name']））; 
 $ db-> bind（：mime，$ _ FILES ['userfile'] ['type ]）; 
 
尝试{
 $ DB->执行（）; 
} catch（PDOException $ e）{
 unlink（$ uploadfile）; 
 
 die（将数据保存到数据库时出错，文件未上传）; 
} 
 
 $ id = $ db-> lastInsertId（）; 
 echo文件成功上传。 
 
}其他{
 echo文件上传失败。\\\
; 
} 
}其他{
＃未收到上传。发送用户上传页面
 Header（Location：html_upload_form.html）; 
} 
 
？> 
  

那么发生了什么？基本上我们将文件上传到我们的上传目录，我们给它一个随机文件名，其中包含 .tmp 扩展名。在我们的数据库中，我们保存了这个随机文件名，原始文件名以及它的类型。当然，我们也添加了用户标识，所以我们知道应该向谁提交文件。这种方法的好处如下：

• - 没有人会知道服务器上的文件名。


• - 没有人会知道除了所有者以外的原始文件名。


• - Mime Type允许我们设置HTML5媒体播放器。


• - 所有者可以下载该文件，但是没有其他人。

上传文件给我们：

 <？php 
 session_start（）; 
 require_once'pdo.class.php'; 
 
＃如果未登录，发送用户返回登录
 if（！isset（$ _ SESSION ['your_login_session_here']））{
 Header（Location：your_login.php）; 
 
 
＃定义数据库配置
 define（DB_HOST，localhost）; 
 define（DB_USER，username）; 
 define（DB_PASS，password）; 
 define（DB_NAME，dbname）; 
 
 $ uploaddir ='uploads /'; 
 $ id = $ _GET ['id']; $！
 $ b if（！is_numeric（$ id））{
 die（文件ID必须是数字）; 
} 
 
 $ db =新数据库; 
 
 $ db-> query（'SELECT userid，name，mime_type FROM uploads WHERE id =：id'）; 
 
 $ db-> bind（：id，$ id）; 
 
尝试{
 $ file = $ db-> single（）; 
} catch（PDOException $ e）{
 die（从数据库中提取数据时出错）; 
 
 
检查文件是否属于用户
 if（$ _ SESSION ['your_login_session_here']！= $ file ['userid']）{
 die 这个文件不属于你！）; 
} 
 
 if（is_null（$ file）|| count（$ file）== 0）{
 die（File not found）; 
} 
 
 $ newfile = $ file ['original_name']; ＃原始文件名
 
＃发送标题和文件返回
标题（'Content-Description：File Transfer'）; 
 header（'Content-Disposition：attachment; filename ='。basename（$ newfile））; 
 header（'Expires：0'）; 
 header（'Cache-Control：must-revalidate'）; 
 header（'Pragma：public'）; 
 header（'Content-Length：'。filesize（$ uploaddir。$ file ['name']））; 
 header（Content-Type：。$ file ['mime_type']）; 
 readfile（$ uploaddir。$ file ['name']）; 
 
？> 
  

发生了什么？在此文件中，您使用文件ID从数据库检索用户文件。这样，用户不需要知道任何文件名！感谢我们的头文件，文件的所有者将能够下载文件的原始名称，而不必知道服务器上的文件名。

 <？php 
 session_start我会给你一个关于如何向用户展示他所有文件的简短例子。 （）; 
 require_once'pdo.class.php'; 
 
＃如果未登录，发送用户返回登录
 if（！isset（$ _ SESSION ['your_login_session_here']））{
 Header（Location：your_login.php）; 
 
 
＃定义数据库配置
 define（DB_HOST，localhost）; 
 define（DB_USER，username）; 
 define（DB_PASS，password）; 
 define（DB_NAME，dbname）; 
 
 $ db =新数据库; 
 
＃检索用户的所有文件并构建链接
 $ db-> query（SELECT id，original_name，mime_type FROM uploads WHERE userid =：id）; 
 
 $ db-> bind（：id，$ _ SESSION ['your_login_session_here']）; 
 
尝试{
 $ files = $ db-> resultset（）; 
} catch（PDOException $ e）{
 die（从数据库中提取数据时出错）; 
 
 
 if（$ db-> rowCount（）> 0）{
 foreach（$ files as $ file）{
 echo< a HREF =your_html_viewer_file.php？ID =。 $ file ['id']& type =。 $ file ['mime_type']。>。 $ file ['original_name']。< / a>< br />; 
} 
} else {
 echo找不到文件！; 
} 
 
？> 
  

最后，PHP文件将在某个HTML mediaplayer中显示该文件。我只会在这里举两个例子，你应该可以很容易地添加你自己的：

 <？php 
 session_start （）; 
 
＃如果未登录，发送用户返回登录
 if（！isset（$ _ SESSION ['your_login_session_here']））{
 Header（Location：your_login.php）; 
} 
 
 $ id = $ _GET ['id']; 
 $ type = $ _GET ['type']; 
 
 if（strpos（$ type，'video /'）=== 0）{？> 
 
< video width =480height =320controls> 
< source src =your_file_retriever.php？id =<？php echo $ id;？> type =<？php echo $ type;？>> 
< / video> 
 
 <？php} else if（strpos（$ type，'audio /'）=== 0）{？> 
 
<音频控制> 
< source src =your_file_retriever.php？id =<？php echo $ id;？> type =<？php echo $ type;？>> 
< / audio> 
 
<？php}？> 
  

现在为了确保没有人会对您的上传文件夹进行强力攻击，您需要创建该文件夹中的.htaccess文件。下面的代码将阻止任何人访问该文件夹，除了服务器本身：

 命令拒绝，允许
拒绝所有
允许从127.0.0.1 
  

我的 PDO Class 。

I wonder how to publishing private user files but in the way only that user can access it. I mean, after logging in, there would be many files that only the user logged in can access. For instance, an image collection or maybe a mp3 file to play in a html5 player or a pdf to download. But the point is the user logged is the owner of the files and he is the only one who can get them.

My problem is that in the HTML code I need to provide a link in the image attribute or a link in the html5 mp3 player or a file link to download it. And this link has to be pointing to a public directory so it can be accessed by everybody.

My question is ¿how do people implement that kind of security or functionality nowadays?

Another example. In facebook, you have your own private images and even if you give the full link of any private image to a friend, he cannot see it unless you tag that image as "public" or something like that.

Thanks so much guys!

====================== Posible solution =====================

I have been researching about the ideas people give me here, thanks guys... I did any tries, for instance, I went to facebook and got the link of a private image of mine (by right clicking over and copy image link...) I put that link in other browser and after loggout facebook, and I can see the image in the browser so the conclution is the file has to be public in the moment we access. Other thing is we hide the name file or someting like that.

I propose to:

• Users file has to be in a folder which has a "unique reference" as name that only can know the own user. So by storing this referece in a database like a password ... you got the idea...

• Sometimes, we will need to have "public files" with limited access, I mean, I want to people to play a mp3 in the html5 player or a video, but I don't wanna let them to download it. In this cases, we could do: -- obfuscate the code making so hard to find the full link -- ¿ ?

============== Please give more Ideas so I can summarize everithing =========

Thanks to: -icecub -Darren H -Rohit Gupta

解决方案

Alright. Since I'm unformilliar with your code, I'm going to use a bit of general code as an example. All you have to do is adjust it.

First a very basic html that will upload the video / mp3 / image or whatever:

<form name="upload" action="" method="POST" ENCTYPE="multipart/form-data">
    Select the file to upload: <input type="file" name="userfile">
    <input type="submit" name="upload" value="upload">
</form>

Next you need to prepare your database table:

CREATE TABLE `uploads` (
    `id` INT(11) NOT NULL AUTO_INCREMENT,
    `userid` INT(11) NOT NULL,
    `name` VARCHAR(64) NOT NULL,
    `original_name` VARCHAR(64) NOT NULL,
    `mime_type` VARCHAR(20) NOT NULL,
    PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=0 DEFAULT CHARSET=utf8;

Now comes the file upload part. At this point I should mention that I'm not very well formilliar with MySQLi. Therefor I'm using PDO in this example. You should however be able to adjust it to MySQLi if you prefer:

<?php
session_start();
# My PDO class. A link to it can be found at the bottom of this answer
require_once 'pdo.class.php';

# Send user back login if not logged
if(!isset($_SESSION['your_login_userid_here'])){
    Header("Location: your_login.php");
}

# If file is uploaded
if(isset($_POST['upload'])){
    $uploaddir = 'uploads'; # Your upload directory

    function tempnam_sfx($path, $suffix){
        do {
            $file = $path."/".mt_rand().$suffix;
            $fp = @fopen($file, 'x');
        }
        while(!$fp);

        fclose($fp);
        return $file;
    }

    # Make a regular expression to check for allowed mime types
    $pattern = "#^(image/|video/|audio/)[^\s\n<]+$#i";

    if(!preg_match($pattern, $_FILES['userfile']['type']){
        die("Only image, video and audio files are allowed!");
    }

    $uploadfile = tempnam_sfx($uploaddir, ".tmp");

    if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {

        # Define db configuration
        define("DB_HOST", "localhost");
        define("DB_USER", "username");
        define("DB_PASS", "password");
        define("DB_NAME", "dbname");

        $db = new Database;

        $db->query("INSERT INTO uploads SET userid=:id, name=:filename, original_name=:oriname, mime_type=:mime");

        $db->bind(":userid",$_SESSION['your_login_userid_here']);
        $db->bind(":filename",basename($uploadfile));
        $db->bind(":oriname",basename($_FILES['userfile']['name']));
        $db->bind(":mime",$_FILES['userfile']['type']);

        try {
            $db->execute();
        } catch (PDOException $e) {
            unlink($uploadfile);

            die("Error saving data to the database. The file was not uploaded");
        }

        $id = $db->lastInsertId();
        echo "File succesfully uploaded.\n";

    } else {
        echo "File uploading failed.\n";
    }
} else {
    # No upload received. Send user to upload page
    Header("Location: html_upload_form.html");
}

?>

So what is happening? Basicly we are uploading the file to our upload dir where we give it a random filename with the .tmp extension. In our database we're saving this random filename, the original filename, and what type of file it is. Ofcourse we're adding the userid as well so we know to whom to file belongs. The benefits of this approach are as follows:

• - No one will ever know the file name on the server.
• - No one will ever know the original file name except the owner.
• - The Mime Type allows us to setup our HTML5 mediaplayer.
• - The owner is able to download the file, but no one else.

Up comes the PHP file that will retrieve the uploaded file for us:

<?php
session_start();
require_once 'pdo.class.php';

# Send user back login if not logged
if(!isset($_SESSION['your_login_session_here'])){
    Header("Location: your_login.php");
}

# Define db configuration
define("DB_HOST", "localhost");
define("DB_USER", "username");
define("DB_PASS", "password");
define("DB_NAME", "dbname");

$uploaddir = 'uploads/';
$id = $_GET['id'];

if(!is_numeric($id)) {
   die("File id must be numeric");
}

$db = new Database;

$db->query('SELECT userid, name, mime_type FROM uploads WHERE id=:id');

$db->bind(":id", $id);

try {
    $file = $db->single();
} catch (PDOException $e) {
    die("Error fetching data from the database");
}

# Check if file belongs to user
if($_SESSION['your_login_session_here'] != $file['userid']){
    die("This file does not belong to you!");
}

if(is_null($file) || count($file)==0) {
    die("File not found");
}

$newfile = $file['original_name']; # The original filename

# Send headers and file back
header('Content-Description: File Transfer');
header('Content-Disposition: attachment; filename='.basename($newfile));
header('Expires: 0');
header('Cache-Control: must-revalidate');
header('Pragma: public');
header('Content-Length: ' . filesize($uploaddir.$file['name']));
header("Content-Type: " . $file['mime_type']);
readfile($uploaddir.$file['name']);

?>

What is happening? In this file, you're using the file id to retrieve the users file from the database. That way no user needs to know any filename at all! Thanks to our headers, the owner of the file will however be able to download the file with it's original name, without knowing the filename on the server at all.

So next I will give you a short example on how to show the user all his files:

<?php
session_start();
require_once 'pdo.class.php';

# Send user back login if not logged
if(!isset($_SESSION['your_login_session_here'])){
    Header("Location: your_login.php");
}

# Define db configuration
define("DB_HOST", "localhost");
define("DB_USER", "username");
define("DB_PASS", "password");
define("DB_NAME", "dbname");

$db = new Database;

# Retrieve all files from the user and build links
$db->query("SELECT id, original_name, mime_type FROM uploads WHERE userid=:id");

$db->bind(":id",$_SESSION['your_login_session_here']);

try {
    $files = $db->resultset();
} catch (PDOException $e) {
    die("Error fetching data from the database");
}

if($db->rowCount() > 0){
    foreach($files as $file){
        echo "<a href='your_html_viewer_file.php?id=". $file['id'] "&type=". $file['mime_type'] .">". $file['original_name'] ."</a><br />";
    }
} else {
    echo "No files found!";
}

?>

And finally comes the PHP file that will display the file in some HTML mediaplayer. I will only 2 examples here, you should be able add your own very easily:

<?php
session_start();

# Send user back login if not logged
if(!isset($_SESSION['your_login_session_here'])){
    Header("Location: your_login.php");
}

$id = $_GET['id'];
$type = $_GET['type'];

if(strpos($type, 'video/') === 0){ ?>

    <video width="480" height="320" controls>
        <source src="your_file_retriever.php?id=<?php echo $id; ?>" type="<?php echo $type; ?>">
    </video>

<?php } else if(strpos($type, 'audio/') === 0){ ?>

    <audio controls>
        <source src="your_file_retriever.php?id=<?php echo $id; ?>" type="<?php echo $type; ?>">
    </audio>

<?php } ?>

Now to make sure no one is going to just brute force attack your uploads folder, you need to create a .htaccess file inside this folder. The following code will block anyone from accessing that folder except the server itself ofcourse:

order deny,allow
deny from all
allow from 127.0.0.1

My PDO Class.

这篇关于获取私人文件或在HTML页面中显示私人图像的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！