用PHP控制对文件系统的访问 [英] Control Access to Filesystem with PHP
问题描述
我以前在这里发布:
由于这是根据那里的建议提出的新问题,所以我认为我应该开始新的帖子.如果应该进行编辑,请以后再告诉我.
Since this is a new question based on suggestions there, I thought I should start a new post. If this should have been an edit, please let me know for the future.
我认为控制访问的解决方案将是上传文件并对名称进行哈希处理.该文件将采用以下格式:
I think the solution I'm going with to control access will be to upload a file and hash the name. The file will be in the format:
/uploads/#############.pdf
/uploads/#############.pdf
链接将发送给订户.他们第一次来到该网站时,将被要求创建一个图钉"和一个提示"来记住.然后可以通过电子邮件地址/密码组合访问登录页面以列出其物品.
A link will be sent to subscribers. The first time they come to the site, they'll be asked to create a "pin" and a "hint" to remember. Then can then access a landing page to list their items via an email address/pin combo.
我的问题是:我知道我可以控制对显示他们可以查看哪些项目的页面的访问,但是有一种方法可以控制/uploads/[file]仅在经过某种编程方式后才能下载查看?我想不出任何办法....
My question is: I know I can control the access to the page that shows what items they can view, but is there a way to control the /uploads/[file] to only be download-able after some kind of programmatic check? I can't think of any way to do this....
再次感谢.
推荐答案
您的pdf文件不必位于用户可见的目录中.它们可以在您的网络根目录之外.这样,实际上没有人可以浏览到www.yoursite.ext/uploads/2395wrfhgt.pdf自己下载或与他人共享链接.
Your pdf files don't have to be in a user viewable directory. They can be outside your web root. That way, noone can actually browse to www.yoursite.ext/uploads/2395wrfhgt.pdf to download it himself or share the link with others.
为了下载pdf,您将有一个专用的脚本,该脚本将对请求该文件的用户进行所有访问检查,如果一切正常,它将设置适当的标头,从文件系统中读取文件并打印呈现给用户.
In order to download the pdf you'll have a dedicated script that will do all the access checks on the user that's requesting it, and if all ok it will set the appropriate headers, read the file from the filesystem, and print it out to the user.
因此,假设您的站点位于/var/www/site/htdocs/,并且您将每个pdf都上传到/var/www/site/uploads/.您甚至不需要散列文件名,而是可以使文件名保持良好的名称,以便于组织.
So, lets say your site is at /var/www/site/htdocs/ and you upload every pdf into /var/www/site/uploads/ . You don't even need to hash the filenames but instead can keep them nicely named for easy organization.
然后,所有下载文件的链接都将指向www.yoursite.ext/download.php?id={fileid}
Then, all the links to download a file will be made to point to www.yoursite.ext/download.php?id={fileid}
您的download.php将进行所有访问检查(正确登录,具有下载文件的权限等),然后执行以下操作:
Your download.php will do all the access checks (properly logged in, has permissions to download the file etc), and then do the following:
$pathToPdf = '/var/www/site/uploads/some.pdf' ;
header('Content-Type: application/pdf');
header('Content-Length: ' . filesize($pathToPdf));
header('Content-Disposition: attachment; filename=' . 'some.pdf');
readfile($pathToPdf) ;
就足够了.完成这项工作后,您可以考虑改善一些方面:
And that's pretty much it. Once you get this working you can look into improving a few things:
- 使用mod_rewrite或类似名称在链接中包含实际的pdf文件名,这可以帮助某些浏览器意识到应该下载该文件:www.yoursite.ext/download/{fileid} .pdf
- 考虑使用Web服务器而不是php来提供文件,例如 X-Sendfile 标头
这篇关于用PHP控制对文件系统的访问的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
