允许PHP脚本访问文件夹中的PDF-但阻止直接URL引用 [英] Allow a PHP script access to PDFs in a folder - but prevent direct URL references
问题描述
在使用CPanel的godaddy托管网站上,我有一个小的PHP脚本,用于显示服务器上文本文件中的每一行.每行都包含一个私有的href链接,指向只有登录用户才能看到的PDF.这些链接指向服务器上同一文件夹中的各种PDF.该代码工作正常,我可以单击链接并查看每个PDF.
On a godaddy hosted website using CPanel, I have a small PHP script that shows each line in a text file that's on the server. Each line contains a private href link to a PDF that only the logged-in user can see. The links points to various PDFs in the same folder on the server. The code works fine and I can click on the link and see each PDF.
问题在于,每个PDF也可以通过使用直接URL查询(即website/folder/pdfname.pdf)来查看.因为这些是私人PDF,所以我不希望它们公开.我尝试将文件夹的CPanel权限更改为所有者"-但这似乎阻止了PHP脚本也打开PDF.
The problem is that each PDF can also be seen by using a direct URL query (i.e. website/folder/pdfname.pdf). As these are private PDFs, I don't want them public. I've tried changing CPanel permissions on the folder to "owner" - but that seems to prevent the PHP script from opening the PDFs also.
是否有一种方法可以允许PHP脚本访问文件夹中的PDF,但是可以防止直接URL引用?
Is there a way to allow a PHP script access to PDFs in a folder - but prevent direct URL references?
注意:我不是特别擅长PHP或CPanel-抱歉.
NOTE: I'm not particularly adept at PHP or CPanel - sorry.
代码...
$fname = "PDF-" . $user_name.".txt";
$fnum = fopen($fname,"r");
echo "<tr>";
While (($str = fgets($fnum)) !== false) {
$arr = explode("|",$str);
for ($x = 0 ; $x < count($arr); $x++) {
echo "<td>$arr[$x]</td>";
}
echo "</tr>";
}
echo "</tr>";
fclose($fnum);
文件内容...
Xyz Company|21 Jan 2018|<a href="http://website.com"> website link</a>
Xyz Company|21 Jan 2018|<a href="http://website.com"> website link</a>
Xyz Company|21 Jan 2018|<a href="http://website.com"> website link</a>
Xyz Company|21 Jan 2018|<a href="http://website.com"> website link</a>*
推荐答案
除了从根目录删除文件之外,如果您正在运行apache,还可以更改.htaccess
(我确定基于Windows系统具有web.config
等效项),以禁止直接访问某些文件.如果将此代码段添加到该文件,它将拒绝扩展名为.pdf
的文件:
Asside from removing the files from the root, if you are running apache, you can change your .htaccess
(I'm sure windows-based system have a web.config
equivalent) to forbid access to certain files directly. If you add this snippet to that file, it will deny files with .pdf
extension:
<FilesMatch "\.(pdf)$">
Order Allow,Deny
Deny from all
</FilesMatch>
从那里,在您的应用程序内部,您可以创建某种类型的系统来管理PDF链接,因此,如果您将真实路径存储在数据库中,并使用id作为链接,则类似于:
From there, inside your app, you can create some sort of system for curating your PDF links, so if you store the real path in a database and use the id as the link similar to:
http://www.example.com/?file=1
或者如果您只是进行简单扫描:
or if you just do a simple scan:
<?php
# The folder that the PDFs are in
$dir = __DIR__.'/website/folder/';
# Loop over a scan of the directory (you can also use glob() here)
foreach(scandir($dir) as $file):
# If file, create a link
if(is_file($dir.$file)): ?>
<a href="?action=download&file=<?php echo $file ?>"><?php echo $file ?></a>
<?php
endif;
endforeach;
然后,如果用户尝试使用链接进行下载,则检查他们是否首先登录,如果已经登录,则通过执行类似的脚本来下载文件,然后再将其他任何内容输出到浏览器(包括空格) ):
Then, if the user tries to download using the link, you check they are first logged in and if they are, download the file by doing a script like so BEFORE you output anything else to the browser (including spaces):
<?php
session_start();
# First check that the user is logged in
if(empty($_SESSION['username']))
die('You must be logged in to download this document.');
# Not sure which directory you are currently in, so I will assume root
# I would do basename() here incase the user tries to add in something like:
# ../index.php and tries to download files they are not supposed to
$file = __DIR__.'/website/folder/'.basename($_GET['file']);
if(!is_file($file))
die('File does not exist.');
# Double check that the file is a pdf
elseif(strtolower(pathinfo($file, PATHINFO_EXTENSION)) != 'pdf')
die('File appears to be invalid.');
# Start download headers
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename="'.basename($file).'"');
header('Expires: 0');
header('Cache-Control: must-revalidate');
header('Pragma: public');
header('Content-Length: ' . filesize($file));
readfile($file);
exit;
这篇关于允许PHP脚本访问文件夹中的PDF-但阻止直接URL引用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!