protect files download in a folder on server &.htacess visible
Question
I am using a php file code as below to list out the files in a directory from which user will check the required files and download them as a zip file
I have 2 issues
1) How to protect files from Direct download using url i want the files to be downloaded only with form action that is through downloadlist.php (if i keep denyall in .htaccess , the downloaded file is corrupted )
2) this code also shows .htaccess in the list for download ( so i doubt is their a way to only list Docs,xls,pdf's)
i can provide downloadlist.php if required
<?php
function listDir($dirName)
{
?><form name="filelist" action="downloadList.php" method="POST"><?php echo "\n";
if ($handle = opendir($dirName)) {
while (false !== ($file = readdir($handle))) {
if ($file != "." && $file != "..") { ?> <input type=checkbox name="file[]" value="<?php echo "$file";?>"><?php echo "$file"; ?><br><?php echo "\n";
}
}
closedir($handle);
}
?><br><input type="submit" name="formSubmit" value="Zip and download" /></form><?php
}
listDir('./fold'); ?>
downloadlist.php
<?php
// function download($file) downloads file provided in $file
function download($file) {
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename='.basename($file));
header('Content-Transfer-Encoding: binary');
header('Expires: 0');
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Pragma: public');
header('Content-Length: ' . filesize($file));
ob_clean();
flush();
readfile($file);
exit;
}
$files = $_POST['file'];
if(empty($files))
{
echo("You haven't selected any file to download.");
}
else
{
$zip = new ZipArchive();
$filename = time() . "archive.zip"; //adds timestamp to zip archive so every file has unique filename
if ($zip->open($filename, ZIPARCHIVE::CREATE)!==TRUE) { // creates new zip archive
exit("Cannot open <$filename>\n");
}
$N = count($files);
for($i=0; $i < $N; $i++)
{
$zip->addFile($files[$i], $files[$i]); //add files to archive
}
$numFiles = $zip->numFiles;
$zip->close();
$time = 8; //how long in seconds do we wait for files to be archived.
$found = false;
for($i=0; $i<$time; $i++){
if($numFiles == $N){ // check if number of files in zip archive equals number of checked files
download($filename);
$found = true;
break;
}
sleep(1); // if not found wait one second before continue looping
}
if($found) { }
else echo "Sorry, this is taking too long";
} ?>
2 answers
solution1
1 2013-08-17 20:40:00
Add this to your htaccess file:
<FilesMatch "\\.php$"> allow from all </FilesMatch> deny from allChange
($file != "." && $file != "..")To
($file != "." && $file != ".." && $file != ".htaccess")Or, if you only want to list files with a certain extension:
((substr($file, -strlen(".pdf")) === ".pdf" || (substr($file, -strlen(".xls")) === ".xls" || (substr($file, -strlen(".doc")) === ".doc")
solution2
1 ACCPTED 2013-08-17 21:40:12
Add this line in your .htacccess file in fold directory!
deny from all
And edit this line :
$zip->addFile($files[$i], $files[$i]); //add files to archive
To:
$zip->addFile('./fold/'.$files[$i], $files[$i]); //add files to archive
And listDir function:
<?php
function listDir($dirName)
{
$forbidden_files=array('.htaccess','.htpasswd');
$allow_ext=array('.gif','.png','.bmp','.jpeg','.jpg','.pdf','.doc','.docx','.xls','.xlsx','.php');
?><form name="filelist" action="downloadList.php" method="POST"><?php echo "\n";
if ($handle = opendir($dirName)) {
while (false !== ($file = readdir($handle)) ) {
$allowed=(strpos($file,'.')!==false && in_array(substr($file,strpos($file,'.')) ,$allow_ext ));
if ($file != "." && $file != ".." && $allowed ) { ?> <input type=checkbox name="file[]" value="<?php echo "$file";?>"><?php echo "$file"; ?><br><?php echo "\n";
}
}
closedir($handle);
}
?><br><input type="submit" name="formSubmit" value="Zip and download" /></form><?php
}
listDir('./fold'); ?>
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.