允许PHP脚本访问文件夹中的PDF-但阻止直接URL引用 [英] Allow a PHP script access to PDFs in a folder - but prevent direct URL references

问题描述

在使用CPanel的godaddy托管网站上，我有一个小的PHP脚本，用于显示服务器上文本文件中的每一行.每行都包含一个私有的href链接，指向只有登录用户才能看到的PDF.这些链接指向服务器上同一文件夹中的各种PDF.该代码工作正常，我可以单击链接并查看每个PDF.

On a godaddy hosted website using CPanel, I have a small PHP script that shows each line in a text file that's on the server. Each line contains a private href link to a PDF that only the logged-in user can see. The links points to various PDFs in the same folder on the server. The code works fine and I can click on the link and see each PDF.

问题在于，每个PDF也可以通过使用直接URL查询(即website/folder/pdfname.pdf)来查看.因为这些是私人PDF，所以我不希望它们公开.我尝试将文件夹的CPanel权限更改为所有者"-但这似乎阻止了PHP脚本也打开PDF.

The problem is that each PDF can also be seen by using a direct URL query (i.e. website/folder/pdfname.pdf). As these are private PDFs, I don't want them public. I've tried changing CPanel permissions on the folder to "owner" - but that seems to prevent the PHP script from opening the PDFs also.

是否有一种方法可以允许PHP脚本访问文件夹中的PDF，但是可以防止直接URL引用?

Is there a way to allow a PHP script access to PDFs in a folder - but prevent direct URL references?

注意:我不是特别擅长PHP或CPanel-抱歉.

NOTE: I'm not particularly adept at PHP or CPanel - sorry.

代码...

$fname = "PDF-" . $user_name.".txt";
$fnum = fopen($fname,"r");
echo "<tr>";
While (($str = fgets($fnum)) !==  false) {
    $arr = explode("|",$str);   
    for ($x  = 0 ;  $x < count($arr);  $x++) {
        echo "<td>$arr[$x]</td>";
    }
    echo "</tr>";   
}
echo "</tr>";
fclose($fnum);

文件内容...

Xyz Company|21 Jan 2018|<a href="http://website.com"> website link</a>
Xyz Company|21 Jan 2018|<a href="http://website.com"> website link</a>
Xyz Company|21 Jan 2018|<a href="http://website.com"> website link</a>
Xyz Company|21 Jan 2018|<a href="http://website.com"> website link</a>*

推荐答案

除了从根目录删除文件之外，如果您正在运行apache，还可以更改.htaccess (我确定基于Windows系统具有web.config等效项)，以禁止直接访问某些文件.如果将此代码段添加到该文件，它将拒绝扩展名为.pdf的文件:

Asside from removing the files from the root, if you are running apache, you can change your .htaccess (I'm sure windows-based system have a web.config equivalent) to forbid access to certain files directly. If you add this snippet to that file, it will deny files with .pdf extension:

<FilesMatch "\.(pdf)$">
Order Allow,Deny
Deny from all
</FilesMatch>

从那里，在您的应用程序内部，您可以创建某种类型的系统来管理PDF链接，因此，如果您将真实路径存储在数据库中，并使用id作为链接，则类似于:

From there, inside your app, you can create some sort of system for curating your PDF links, so if you store the real path in a database and use the id as the link similar to:

http://www.example.com/?file=1

或者如果您只是进行简单扫描:

or if you just do a simple scan:

<?php
# The folder that the PDFs are in
$dir = __DIR__.'/website/folder/';
# Loop over a scan of the directory (you can also use glob() here)
foreach(scandir($dir) as $file):
    # If file, create a link
    if(is_file($dir.$file)): ?>
<a href="?action=download&file=<?php echo $file ?>"><?php echo $file ?></a>
<?php
    endif;
endforeach;

然后，如果用户尝试使用链接进行下载，则检查他们是否首先登录，如果已经登录，则通过执行类似的脚本来下载文件，然后再将其他任何内容输出到浏览器(包括空格) ):

Then, if the user tries to download using the link, you check they are first logged in and if they are, download the file by doing a script like so BEFORE you output anything else to the browser (including spaces):

<?php
session_start();
# First check that the user is logged in
if(empty($_SESSION['username']))
    die('You must be logged in to download this document.');
# Not sure which directory you are currently in, so I will assume root
# I would do basename() here incase the user tries to add in something like:
# ../index.php and tries to download files they are not supposed to
$file = __DIR__.'/website/folder/'.basename($_GET['file']);
if(!is_file($file))
    die('File does not exist.');
# Double check that the file is a pdf
elseif(strtolower(pathinfo($file, PATHINFO_EXTENSION)) != 'pdf')
    die('File appears to be invalid.');
# Start download headers
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename="'.basename($file).'"');
header('Expires: 0');
header('Cache-Control: must-revalidate');
header('Pragma: public');
header('Content-Length: ' . filesize($file));
readfile($file);
exit;

这篇关于允许PHP脚本访问文件夹中的PDF-但阻止直接URL引用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！