从htaccess禁用文件夹公共访问
[英]Disable folder public access from htaccess
问题描述
I have a website from which you can downloads resources. 
我有一个网站,您可以从该网站下载资源。
What I want is to disable public access for the folder on which the items are stored but allowed them to be accessed by website for download. 我想要的是对存储项目的文件夹禁用公共访问权限,但允许网站访问它们以进行下载。
I've used Order deny,allow in .htaccess but if i use that I can't download from the website. 我已经使用Order deny,allow .htaccess Order deny,allow ,但是如果使用该命令,则无法从网站下载。
It will will give me error 404 same as trying to type direct url for the file. 它将给我错误404与尝试为文件键入直接url相同。 The download is performed. 下载完成。
I have the following code: 我有以下代码:
$link = $item->link;
$link_headers = get_headers($link);
//Headers
if(isset($link_headers[0]))
{
header($link_headers[0]);
}//if exists
if(isset($link_headers[1]))
{
header($link_headers[1]);
}//if exists
if(isset($link_headers[2]))
{
header($link_headers[2]);
}//if exists
if(isset($link_headers[3]))
{
header($link_headers[3]);
}//if exists
if(isset($link_headers[4]))
{
header($link_headers[4]);
}//if exists
if(isset($link_headers[5]))
{
header($link_headers[5]);
}//if exists
if(isset($link_headers[6]))
{
header($link_headers[6]);
}//if exists
if(isset($link_headers[7]))
{
header($link_headers[7]);
}//if exists
if(isset($link_headers[8]))
{
header($link_headers[8]);
}//if exists
readfile($link);
exit;
Thing is if i put .htaccess with deny all into the folder that holds all the items for download then download will not work anymore because i don't have permission and i want that to be available only for people who try to download from direct link to the file from url. 问题是,如果我将带有拒绝所有内容的.htaccess放入保存所有要下载项目的文件夹中,那么下载将不再起作用,因为我没有权限,并且我希望仅对尝试从直接链接下载的用户可用从url到文件。
2 个解决方案
解决方案1
0 2014-09-12 14:42:27
If you protect your file and file path, you can use a download.php file. 如果您保护文件和文件路径,则可以使用download.php文件。
download.php file content download.php文件内容
<?php
// Connect to db and get file information from db.
// $db_filename and $db_filetype getting from db
header("Content-disposition: attachment; filename=def.file_type"); // def.pdf
header("Content-type: " . $db_filetype); // application/pdf
readfile("/path/of/your/files/".$db_filename); // /project/home/downloads/abc.pdf
Usage : 用法:
download.php?file_id=1
This usage is protect your folder and file name, but it use database. 这种用法是为了保护您的文件夹和文件名,但它使用数据库。
解决方案2
0 已采纳 2014-09-12 14:42:52
One way to achieve this is to download via a script that checks for the http-referrer. 实现此目的的一种方法是通过检查http-referrer的脚本进行下载。 The header can of course be modified manually, but I think doing something more complex than this would be an overkill: 标头当然可以手动修改,但是我认为做一些比这复杂的事情会太过分了:
/*
Change your download links to point to a php script, or use .htaccess to rewrite downloads to the same file
*/
<a href="download.php?file=somefile.zip">Download</a>
//download.php
if ($_SERVER['HTTP_REFERER'] == "your_downloads_page.html") {
$file = $_GET['file'];
if (file_exists($file)) {
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename='.basename($file));
header('Expires: 0');
header('Cache-Control: must-revalidate');
header('Pragma: public');
header('Content-Length: ' . filesize($file));
readfile($file);
exit;
}
}
However be sure to add some security checks so that users can't download files they shouldn't be allowed to. 但是,请确保添加一些安全检查,以使用户无法下载不应被允许的文件。 Perhaps filter all slashes and double dots. 也许过滤所有斜线和双点。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.