如何保护上载文件夹中的图像不被管理员查看
[英]how to protect images inside upload folder from viewing by anyone EXCEPT admin
问题描述
Ok, desired (probably impossible?) scenario is next: 
好的,接下来是所需的(可能是不可能的?)方案:
1) anyone can upload image(s) to folder 1)任何人都可以将图像上传到文件夹
2) only admin, via web admin interface/regular, password protected admin panel can see it 2)只有管理员,可以通过Web管理员界面/常规,受密码保护的管理员面板看到它
I guess it is impossible, unless i store images to database directly (as BLOB type), and show them inside admin panel (which will decrease performance, i guess). 我想这是不可能的,除非我将图像直接存储到数据库(作为BLOB类型),并在管理面板中显示它们(我想这会降低性能)。
So, what i could do, a) except to place blank index file in upload folder (already done) but i guess there are ways to guess/get names of files 所以,我能做什么,a)除了将空白索引文件放置在上载文件夹中(已经完成), 但我想有办法猜测/获取文件名
b) and maybe, add some .htaccess protection (what would be your advice?) b)也许添加一些.htaccess保护(您的建议是什么?)
Again, uploading is a part of form (there is no registration required!), i need some way to allow only admin to see/download images, but to protect it from others, because sensitive data are in question. 再次,上传是表单的一部分(不需要注册!),我需要某种方式来仅允许管理员查看/下载图像,但是要保护它免受其他人的访问,因为敏感数据存在疑问。
3 个解决方案
解决方案1
2 已采纳 2014-03-19 18:03:27
Here you go: 干得好:
1) Do not store files in your DB. 1)不要将文件存储在数据库中。 Ever. 永远。
2) Protect the upload directory (where ONLY uploaded files will live) with an .htaccess - "deny all" (basically) -- or store the upload directory somewhere NOT public to the web (see #3, below) 2)使用.htaccess保护上传目录(只能保存上传的文件)-基本上“拒绝所有”-或将上传目录存储在对网络不公开的位置(请参阅下面的#3)
3) Have an interim file that serves file downloads (is user logged in? If so, set headers and readfile() the actual file - this will force the file to download. The database should store the file name, path, and other relevant details) 3)有一个用于文件下载的临时文件(用户是否登录?如果是,则设置标头和readfile()实际文件-这将强制文件下载。数据库应存储文件名,路径和其他相关文件细节)
The PHP upload script can save files in any directory, even the one with the .htaccess in it. PHP上传脚本可以将文件保存在任何目录中,即使其中包含.htaccess的目录也是如此。
解决方案2
1 2014-03-19 18:03:18
Once the form is submitted, you can do ANYTHING you want with the files uploaded. 提交表单后,您可以对上传的文件进行任何操作。
Why don't you store the images in a folder that is simply not accessible from the web, and then programmatically provide access to those files from the admin interface? 为什么不将图像存储在根本无法从Web访问的文件夹中,然后以编程方式从管理界面提供对这些文件的访问?
解决方案3
1 2014-03-19 18:04:03
您可以在上传后使用管理员的公钥加密图像,因此只有管理员的私钥才能解密和查看。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.