限制访问私人图像 [英] Restrict access to private images
问题描述
作为摄影师,我有自己的网站,上面有作品集等.我还为用户提供了一个登录系统,我可以让他们访问自己的私有图像(它显示放置在特定文件夹内的所有图像-我会为每个用户手动执行此操作).
As a photographer, I have my own website with a portfolio and such. I also have a log-in system for users, where I give them access to their own private images (it displays all images placed inside a specific folder - I do this manually for each user).
当用户登录并查看其私人图像时,他会注意到URL上显示以下内容(当他下载/单击它/等时): www.mywebsite.com/FOLDER_NAME/IMG_123.jpg
When a user logs in and sees his private images, he'll notice the URL says the following (when he downloads it/clicks it/etc): www.mywebsite.com/FOLDER_NAME/IMG_123.jpg
只需做一些猜测,他就可以找到其他用户的私人图片.当然,这违背了在我的网站上放置私人图片的目的,因此我必须找到解决方法.
By simply doing a bit of guessing, he'll be able to find other users private images. Of course this is defeats the purpose of having private images on my website, so I have to find a way around that.
目前,如果用户的user_email(唯一)与userRow相匹配,则用户只能看到其私人图像:
At the moment, the user can only see his private images if his user_email (unique) matches userRow:
if ($userRow['user_email'] == "email@hotmail.com")
我不确定要搜索什么.对我来说,限制对图像的访问不是一个成功的搜索查询.
I'm not so sure what to search for. Restrict access to images wasn't a successful search query for me.
我该怎么办?我想一种选择是将文件夹随机命名,例如: "Charles661846Xkdfdsnf34590u".很难猜测,但是我对安全性不太确定(就像是否有其他方法可以访问根目录一样?).
What can I do? I guess an option would be to call the folders something random, such as: "Charles661846Xkdfdsnf34590u". That will be hard to guess, but I'm not so sure about security (as in if there are other ways to get access to the root?).
我查看了拒绝直接访问除了index.php 以外的所有.php文件,但这不是我想要的.
I have taken a look at Deny direct access to all .php files except index.php but that is not what I want exactly.
在这种情况下我该怎么办?
What can I do in this case?
我已经用php,html和一些javascript编程了我的网站.
I've programmed my site in php,html and a bit javascript.
推荐答案
如果您只需要限制登录用户访问文件,则应将所有文件从网络根目录移至您不能直接通过Web服务器访问它们.
If you need to restrict access to files only to a logged-in user, you should move all files from the web-root and put them in a place where you cannot access them directly through the web-server.
然后,在通过php验证用户身份后,您将提供文件.例如,请参见php手册 readfile() 页上的第一个示例.
Then you serve the files after the user is authenticated through php. See for example the first example on the readfile() page of the php manual.
因此,当用户登录时,例如,将用户ID存储在会话变量中,然后在文件服务脚本的顶部检查ID是否正确/是否允许访问该特定文件.
So when a user logs in, you store for example the user ID in a session variable and on top of the file-serving script you check if the id is correct / allowed access to that specific file.
这篇关于限制访问私人图像的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
