所有文件仅通过 index.php 下载并拒绝从浏览器直接访问它们

Question

I have the following structure in my website:

• index.php
• files(directory) ---> file1.pdf

How can I prevent the direct access to the file (eg https://example.com/files/file1.pdf ) and allow the file to be downloaded from within the displayed web page for login users?

here is the php code for the index which reads the files from the directory:

<?php
        include('session.php');

        $path    = './files';
        $files = scandir($path);
        $files = preg_grep("/^(\.|\.\.|index\.php|\.htaccess)$|.php$|\.meta\.js$/",scandir($path), PREG_GREP_INVERT);
        foreach($files as $file){
          echo '<div>';
          echo "<a href='$file' >$file</a>";
          echo "</div>";
        }
        ?>

Answer 1

1. Create an .htaccess in files and set deny all.

   order deny,allow deny from all

2. Create downloader.php and update your download link urls like

domain.com/downloader.php?file=filename

Code:

    <?php 

if(!isset($_GET['file']))
{
    die('File Request Not found.');
}
if(!file_exists('files/'.$_GET['file']))
{
    die('File not exists. File name ='.$_GET['file']);
}
header("Content-Type: application/octet-stream");
header("Content-Transfer-Encoding: Binary");
header("Content-disposition: attachment; filename=\"".$_GET['file']."\""); 
echo readfile('files/'.$_GET['file']);
?>

Answer 2

.

AddHandler application/x-httpd-php .html

<FilesMatch "\.(?i:gif|jpe?g|png)$">

order deny,allow

Deny from all

</FilesMatch>

Usage = These rules will allow you to download the files only from index.html and will deny the direct access to them from the browser.

Answer 3

So here is how i manged to solve the problem:

in the .htaccess added the rules:

<FilesMatch "\.(?i:pdf|jpe?g|png)$">

order deny,allow

Deny from all

</FilesMatch>

So now no one can access the files via direct link from browser.

then added the following code to the downloader.php (of course still needs to be linked to the session to allow logged in users only):

<?php

if(isset($_GET['path']))
{
//Read the filename
$filename = $_GET['path'];
//Check the file exists or not
if(file_exists($filename)) {

//Define header information
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header("Cache-Control: no-cache, must-revalidate");
header("Expires: 0");
header('Content-Disposition: attachment; filename="'.basename($filename).'"');
header('Content-Length: ' . filesize($filename));
header('Pragma: public');

//Clear system output buffer
flush();

//Read the size of the file
readfile($filename);

//Terminate from the script
die();
}
else{
echo "File does not exist.";
}
}
else
echo "Filename is not defined."
?>

and made a little change to the index.php:

 echo "<a href=./downloader.php?path='$pathOF/$file' class='pdfl'>$file</a>";

and all working fine, just a little bit delay when requesting a file download, maybe it is a hosting issue or may be the downloader not sure, please let me know if there is a better way to do this.

Regards