限制文件访问授权的PHP用户 [英] Restrict file access to authorized php users

问题描述

我继承了明显的安全漏洞的应用程序。

I've inherited an application with a glaring security hole.

有具有基于会话的安全性，但文件上传（其是用户特定的）不以任何方式固定并且它们被存储在公共文件树

It has session-based security, but file uploads (which are user specific) are not secured in any way and they are stored in the public file tree.

文件名不遵循任何约定等，使他们很难猜测，但数据是敏感的，因此我需要实现一种安全措施，以prevent未经授权的文件访问。

Filenames do not follow any convention as such, making them hard to guess, but the data is sensitive and thus I need to implement a security measure to prevent unauthorized file access.

移动文件的位置是不是一个真正的选择，所以我在寻找一个htaccess的解决方案，将请求转发到一个PHP处理程序脚本。

Moving the location of the files is not really an option, so I'm looking at a htaccess solution to forward requests to a php handler script.

有没有人有在实施这种类型的东西或有什么好的替代解决方案的经验？的.htaccess语法的具体例子，大大AP preciated，因为我挣扎在这个领域。

Does anyone have experience in implementing this type of thing or any good alternative solutions? Specific examples of .htaccess syntax greatly appreciated, as I'm struggling in this area.

推荐答案

不明白为什么移动它们是不是一种选择，因为推动这些请求处理程序意味着它不再是问题，他们正在储存。但你是男人的身影。

Don't really understand why moving them isn't an option, since pushing requests for them to a handler means it no longer matters where they're stored. But you're the man on the scene.

的.htaccess如下：

.htaccess looks like:

RewriteEngine on
RewriteRule path/to/where/these/files/live/(.*) /handlerscript.php/$1

然后就拿起从 $剩余的文件路径和名称_ SERVER ['PATH_INFO'] 。

这篇关于限制文件访问授权的PHP用户的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！