允许用户在 webroot 之外下载文件 [英] Allow users to download files outside webroot

问题描述

Hello I am using PHP to allow users to upload files and I have them sitting in a folder outside webroot (/var/www) folder for security reasons. It is in the folder /var/uploads. A user uploads files for specific records. Once the the uploaded files are moved to the uploads folder, the address of the attachment is stored in the database. Now whenever a user checks the record, attachments for the specific record are going to be displayed for downloads.

Since they are out of the webroot, I am unable to get them downloaded as they would have a url of

http://localhost/var/uploads/attachment.txt

Do we have a solution or should it downloadable folders be child directories of the webroot?

<?php
$con = mysql_connect("localhost","id","pass");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

mysql_select_db("db", $con);

$result = mysql_query("select * from attachments");

while($row = mysql_fetch_array($result))
{
echo '<a href="'.$row[2].'" target="_blank">Download</a>--'.$row[3].'<br>';
}

mysql_close($con);
?> 

is the code I am using. The folder's owner is www-data:/ or the web server. So there should be no access issues.

解决方案

Use

• a symlink pointing to /var/uploads (tutorial here)

• a Apache Alias directive Alias /uploads /var/uploads (must be in httpd.conf)

• or a proxy PHP script that accepts a GET variable filename=upload.jpg and fetches the file e.g. using fpassthru()

the latter is the least preferable option because it is resource intensive, but sometimes it's the only alternative. It also needs proper securing to prevent an attacker from getting other files on your server through the proxy.

这篇关于允许用户在 webroot 之外下载文件的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！