[英]Allow scripts to read a file but prevent users from viewing the file directly
Lets say I have a plain text file example.txt
and I have a PHP script on my web-server readfile.php
.假设我有一个纯文本文件example.txt
并且我的网络服务器readfile.php
上有一个 PHP 脚本。
What I want to be able to do is to prevent users from typing http://www.example.com/example.txt
and looking at the text file directly but I still want people to be able to load http://www.example.com/readfile.php
which reads from the file example.txt
and does something with it (possibly displays the contents of the file).我想要做的是阻止用户输入http://www.example.com/example.txt
并直接查看文本文件,但我仍然希望人们能够加载http://www.example.com/readfile.php
从文件中读取example.txt
并执行与它的东西(可能显示文件的内容)。
Also, if this can be done, what is the best way to do it?另外,如果可以做到这一点,最好的方法是什么?
Yes, this is easy to do.是的,这很容易做到。
There are two main ways to stop users from accessing example.txt
.有两种主要方法可以阻止用户访问example.txt
。 The first is to put it in a folder outside your web folder (Usually called www
or public_html
), the second is to put a .htaccess
file in the folder with your example.txt script which blocks access to the file altogether.第一个是将它放在您的 web 文件夹之外的文件夹中(通常称为www
或public_html
),第二个是将一个.htaccess
文件与您的 example.txt 脚本一起放在文件夹中,该脚本完全阻止访问该文件。 The .htaccess
would look like .htaccess
看起来像
<files "example.txt">
deny from all
</files>
But you could change example.txt
to something like *.txt
if you wanted to block all .txt
files in the folder.但是,如果您想阻止文件夹中的所有.txt
文件,您可以将example.txt
更改为类似*.txt
的内容。
Then you can use file_get_contents()
in your readfile.php
to get the contents of the text file, or if you just want to output the file you can use readfile
然后你可以在你的readfile.php
使用file_get_contents()
来获取文本文件的内容,或者如果你只想输出文件你可以使用readfile
Just store the files you don't want publicly accessible outside the webroot .只需将您不希望在 webroot 之外公开访问的文件存储起来。
/home
example.txt
/www
readfile.php
If /home/www/
is your public webroot folder, any file above it is not accessible through the web server.如果/home/www/
是您的公共 webroot 文件夹,则无法通过 Web 服务器访问它上面的任何文件。 readfile.php
can still access the file perfectly fine at ../example.txt
though. readfile.php
仍然可以很好地访问../example.txt
的文件。
If you need to store the files in the webroot, then put the files in a folder and deny access to that folder.如果您需要将文件存储在 webroot 中,请将文件放在一个文件夹中并拒绝对该文件夹的访问。 If you are using apache, make a .htaccess file in the folder and type in deny from all
如果您使用的是 apache,请在文件夹中创建一个 .htaccess 文件并输入deny from all
I've done something similar where the files contain extremely sensitive information and I only want validated users to be able to retrieve the file through an HTTPS connection.我做过类似的事情,其中文件包含极其敏感的信息,我只希望经过验证的用户能够通过 HTTPS 连接检索文件。
What I did was this:我所做的是这样的:
I put the files in a directory path that is outside the scope of what the web server (Apache, for me) can see.我将文件放在 Web 服务器(对我而言是 Apache)可以看到的范围之外的目录路径中。 Therefore, there are no possible URLs that will result in the file being served up directly by the web server.因此,没有可能的 URL 会导致 Web 服务器直接提供文件。 Then I created a script that allows users to login, click on the file they want, and then the PHP script reads the file, puts the appropriate headers, and then streams the file to the user's computer.然后我创建了一个脚本,允许用户登录,点击他们想要的文件,然后 PHP 脚本读取文件,放置适当的标题,然后将文件流式传输到用户的计算机。
Of course, the script that shows the user the list of files and the script that streams the file out to the user must have at least read access to the files in the path where they are being stored.当然,向用户显示文件列表的脚本和将文件流式传输给用户的脚本必须至少具有对存储路径中文件的读取权限。
Good luck!!祝你好运!!
Quick hack - rename your file to ".cannotReadFileWithDOT".快速破解 - 将您的文件重命名为“.cannotReadFileWithDOT”。 he server will close reading files with a dot at the beginning of the name, but your scripts will be able to read them.服务器将关闭名称开头带有点的读取文件,但您的脚本将能够读取它们。 The plus is that the apache and nginx servers out of the box are configured to prohibit reading files with a dot at the beginning of the name.加分项是开箱即用的apache和nginx服务器配置为禁止读取名称开头带点的文件。
您可以将文件“example.txt”放在公共文件夹之外并从 readfile.php 中读取,如$content = file_get_contents("../example.txt");
You can call a file like this and the people don't see the filename:您可以像这样调用文件,而人们看不到文件名:
<?php
$file = 'example.txt';
if (file_exists($file)) {
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename='.basename($file));
header('Content-Transfer-Encoding: binary');
header('Expires: 0');
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Pragma: public');
header('Content-Length: ' . filesize($file));
ob_clean();
flush();
readfile($file);
exit;
}
?>
(source: php.net) (来源:php.net)
Would that work for you?这对你有用吗?
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.