安全地上传并在Codeigniter 3中显示图像或文件
[英]Secure upload and show image or file in codeigniter 3
问题描述
I want to upload image in my codeigniter 3 , and I want to show the uploaded image to my users (this is in register level and users is inputing his profile data) I should showe the uploaded image to him. 
我想在我的codeigniter 3中上传图片,并且想向用户显示上传的图片(这是在注册级别,并且用户正在输入他的个人资料数据),我应该向他展示上传的图片。 I have read this : 我读过这个:
Moving it outside of the public_html is a good idea, also try to rename the file and just add the extension to it.
and another : 还有一个:
Do not move uploaded file to directory which is accessible from URL
but I don't know how can I have show the picture which is not directory which is accessible from URL ! 但是我不知道如何显示不是可以通过URL访问的目录的图片! . 。 I don't have any idea it's really important for me the security I have used codeigniter upload class and I don't you know what kind of security other operations should I do this is my controller : 我不知道这对我使用codeigniter上载类的安全性真的很重要,我不知道我应该做的其他操作是哪种安全性,这就是我的控制器:
public function do_resize($img_name ,$image_original_width , $image_original_height )
{
// $nesbat = $image_original_height / $image_original_width ;
$config_manip = array(
'image_library' => 'gd2',
'source_image' => '../uploads/'.$img_name,
'new_image' => '../uploads/'.$img_name,
'maintain_ratio' => TRUE,
'create_thumb' => TRUE,
'thumb_marker' => '_thumb',
'width' => 150,
'height' => 150
);
$this->load->library('image_lib', $config_manip);
if (!$this->image_lib->resize()) {
// echo $this->image_lib->display_errors();
return false ;
}
else
{
return true ;
}
// clear //
$this->image_lib->clear();
}
function do_upload()
{
$file_name = $this->input->post("file_name") ;
$config['upload_path'] = '../uploads/';
$config['allowed_types'] = 'gif|jpg|png';
$config['max_size'] = '10000';
$config['max_width'] = '1024';
$config['max_height'] = '768';
$config['file_name'] = $file_name;
// delete if .gif image exists before
if ( is_file('./uploads/'.$file_name.".gif") )
{
unlink("./uploads/".$file_name.".gif");
unlink("./uploads/".$file_name."_thumb.gif");
}
// delete if .gif image exists before
if ( is_file('./uploads/'.$file_name.".jpg") )
{
unlink("./uploads/".$file_name.".jpg");
unlink("./uploads/".$file_name."_thumb.jpg");
}
// delete if .gif image exists before
if ( is_file('./uploads/'.$file_name.".png") )
{
unlink("./uploads/".$file_name.".png");
unlink("./uploads/".$file_name."_thumb.png");
}
$this->load->library('upload', $config);
if ( ! $this->upload->do_upload())
{
$error = array('error' => $this->upload->display_errors());
echo "<div id='upload_status'>fail</div>";
echo "<div id='error_mesage'>".$this->upload->display_errors()."</div>";
}
else
{
$data = array('upload_data' => $this->upload->data());
$upload_data = $this->upload->data();
$uploaded_file_name = $upload_data['file_name'];
$resize = $this->do_resize($uploaded_file_name , $upload_data['image_width'] , $upload_data['image_height'] ) ;
if ($resize == true )
{
echo "<div id='upload_status'>success</div>";
echo "<div id='uploaded_image_link' >".$upload_data['file_name']."</div> ";
$thumb_link = str_replace($file_name,$file_name."_thumb",$upload_data['file_name']);
echo "<div id='uploaded_image_thumb_link' >".$thumb_link."</div> ";
}
//if $resize == true , nabashe -> uploade koli fail eleam mishe ta dobare anjam beshe
else
{
echo "<div id='upload_status'>fail</div>";
}
}
}
3 个解决方案
解决方案1
3 已采纳 2015-10-30 16:47:54
Images are generally a public asset but you can protect them in a few ways. 图像通常是一种公共资产,但是您可以通过几种方式对其进行保护。
- Put an index.html or index.php file in your images directory. 将index.html或index.php文件放在您的图像目录中。
- Turn off directory listing in your .htaccess file 关闭您的.htaccess文件中的目录列表
- Rewrite the file name (will obfuscate orginal name) 重写文件名(将混淆原始名称)
To view the image after it's uploaded will require AJAX, or a page refresh. 要在上传后查看图片,需要AJAX或页面刷新。 A page refresh is easier to code, simply upload the file and show that file on the preceeding page. 页面刷新更易于编码,只需上传文件并在前面的页面上显示该文件即可。
You can protect the folder to make sure a particular page has access to displaying an image. 您可以保护文件夹,以确保特定页面有权显示图像。 This makes things more complicated but working with some kind of resource access system might help you achieve this. 这使事情变得更加复杂,但是使用某种资源访问系统可能会帮助您实现这一目标。
Once the page is loaded though - the image will be available to that user and once downloaded there. 一旦页面被加载-该图像将可供该用户使用,并在该位置下载。
I am not sure on what youre protecting exactly (profile pics, adult content..) but images, like CSS files are public assets. 我不确定您到底要保护什么(个人资料图片,成人内容..),但是图像(如CSS文件)是公共资产。
Rich 丰富
解决方案2
1 2018-02-12 09:59:12
Using this way, we can prevent Image call from other server. 使用这种方法,我们可以防止来自其他服务器的图像调用。
Prevent image hotlinking (IMP) 防止图像热链接(IMP)
- Image hotlinking is the process/technique of using someone else's Image URL in our Website and using their bandwidth. -图片热链接是在我们的网站中使用别人的图片URL并使用其带宽的过程/技术。 In order to prevent this mystery, we can prevent access for external server by adding following line in htaccess . 为了避免这个谜团,我们可以通过在htaccess中添加以下行来阻止对外部服务器的访问。
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]
解决方案3
0 2018-10-17 11:55:01
Just create a blank index.html file and put the index.html file on all other public folders except application/system folders (they already have it). 只需创建一个空白的index.html文件,然后将index.html文件放在除应用程序/系统文件夹(它们已经拥有)以外的所有其他公用文件夹上。 This is a simple security technique to restrict viewers to view your files on public folders. 这是一种简单的安全技术,可以限制查看者查看您在公用文件夹上的文件。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.