php 安全下载文件
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/10834196/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Secure files for download
提问by Somk
I want to have a folder, lets call it docs, that contains documents that logged in users can download. These have very sensitive information. How can I best secure the folder. I come from a PHP background so want to know if I have overlooked anything.
我想要一个文件夹,我们称之为 docs,其中包含登录用户可以下载的文档。这些有非常敏感的信息。我怎样才能最好地保护文件夹。我来自 PHP 背景,所以想知道我是否忽略了什么。
I will secure the folder with .htaccess and also when the users click download they are never shown the folder. The download is forced through to them via php removing the folder name.
我将使用 .htaccess 保护文件夹,并且当用户单击下载时,他们永远不会显示该文件夹。下载是通过 php 删除文件夹名称强制传递给他们的。
Of course to secure the users area I am implementing sanitation and validation on all input fields plus watching out for SQLInjections. Using an SSL connection. Turned off all php warnings. The secure area uses SESSION variables to control access and re-verify users for special tasks such as changing passwords. Plus a timeout feature of 10 minutes, after which the user has to re-enter details.
当然,为了保护用户区域,我正在对所有输入字段实施卫生和验证,并注意 SQLInjections。使用 SSL 连接。关闭所有 php 警告。安全区域使用 SESSION 变量来控制访问并重新验证用户的特殊任务,例如更改密码。加上 10 分钟的超时功能,之后用户必须重新输入详细信息。
I am trying to be as thorough as possible so any advice no matter how small will be welcomed.
我试图尽可能彻底,所以任何建议,无论多小都会受到欢迎。
回答by John Conde
Put the files outside of the webroot. Then using PHP pass the file though a script. That way no one can link to the file directly and bypass your controls. (Naturally make sure the script that does this only after verifying the user has permission to retrieve that file).
将文件放在 webroot 之外。然后使用 PHP 通过脚本传递文件。这样,没有人可以直接链接到文件并绕过您的控制。(当然,确保仅在验证用户有权检索该文件后执行此操作的脚本)。
Sample PHP:
示例 PHP:
<?php
if (!isset($_SESSION['authenticated'])) {
exit;
}
$file = '/path/to/file/outside/www/secret.pdf';
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename=' . basename($file));
header('Content-Transfer-Encoding: binary');
header('Expires: 0');
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Pragma: public');
header('Content-Length: ' . filesize($file));
ob_clean();
flush();
readfile($file);
exit;
?>
回答by Dark
In addition of John Conde, you can rewrite the dl url into an other not sensible folder to honeypot the user who try to overpass their access.
除了 John Conde 之外,您还可以将 dl url 重写到另一个不合理的文件夹中,以蜜罐试图绕过其访问权限的用户。
And add this kind of rules in your htaccess
并在您的 htaccess 中添加此类规则
Options -Indexes
<files .htaccess>
order allow,deny
deny from all
</files>
#Add all file you want to protect except the one you share...
<FilesMatch "\.(htaccess|htpasswd|ini|phps|fla|psd|log|sh)$">
Order Allow,Deny
Deny from all
</FilesMatch>
