PHP:如何阻止对文件的直接 URL 访问,但仍允许登录用户下载它?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/7127153/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
PHP: How can I block direct URL access to a file, but still allow it to be downloaded by logged in users?
提问by Bing
I have a website where users should be able to log in and listen to a song (a self-created mp3). I want to make it so the logged in user can listen/download/whatever, and the file should reside on the server (not be stored in the MySQL database), but not be able to be accessed by non-users who have the path to the URL.
我有一个网站,用户应该可以在其中登录并收听歌曲(自制的 mp3)。我想让它使登录用户可以收听/下载/任何东西,并且文件应该驻留在服务器上(不存储在 MySQL 数据库中),但不能被具有路径的非用户访问到网址。
For example: say my mp3 is located at mysite.com/members/song.mp3 If you are logged in, you should be able to see the mysite.com/members/index.php page, which will allow access to the song.mp3 file. If you're not logged in, the mysite.com/members/index.php page will not show you the song.mp3 file, and linking directly to it should not grant access.
例如:假设我的 mp3 位于 mysite.com/members/song.mp3 如果您已登录,您应该能够看到 mysite.com/members/index.php 页面,该页面将允许访问该歌曲。 mp3 文件。如果您未登录,mysite.com/members/index.php 页面将不会向您显示 song.mp3 文件,并且直接链接到该文件不应授予访问权限。
I'm pretty sure this is done via htaccess, and I have done a lot of Googling already, and searched on here. The two closest answers I found were this htaccess guide http://perishablepress.com/press/2006/01/10/stupid-htaccess-tricks/and this StackOverflow question Block direct access to a file over http but allow php script accessbut neither answer all my questions to meet my criteria. What am I missing?
我很确定这是通过 htaccess 完成的,我已经做了很多谷歌搜索,并在这里搜索。我找到的两个最接近的答案是这个 htaccess 指南http://perishablepress.com/press/2006/01/10/stupid-htaccess-tricks/和这个 StackOverflow 问题Block direct access to a file over http but allow php script access但是两者都不回答我的所有问题以满足我的标准。我错过了什么?
回答by Victor
Into folder memberscreate new folder files, move here all your songs, create new .htaccessfile and add the following lines:
进入文件夹成员创建新文件夹文件,将所有歌曲移到此处,创建新的.htaccess文件并添加以下行:
Order Deny,Allow
Deny from all
Into folder memberscreate file get_song.phpand add the following code:
在文件夹成员中创建文件get_song.php并添加以下代码:
if( !empty( $_GET['name'] ) )
{
// check if user is logged
if( is_logged() )
{
$song_name = preg_replace( '#[^-\w]#', '', $_GET['name'] );
$song_file = "{$_SERVER['DOCUMENT_ROOT']}/members/files/{$song_name}.mp3";
if( file_exists( $song_file ) )
{
header( 'Cache-Control: public' );
header( 'Content-Description: File Transfer' );
header( "Content-Disposition: attachment; filename={$song_file}" );
header( 'Content-Type: application/mp3' );
header( 'Content-Transfer-Encoding: binary' );
readfile( $song_file );
exit;
}
}
}
die( "ERROR: invalid song or you don't have permissions to download it." );
And now, you can use this URL to get the song file:
http://mysite.com/members/get_song.php?name=my-song-name
现在,您可以使用此 URL 获取歌曲文件:http: //mysite.com/members/get_song.php?name=my-song-
name
回答by Marc B
The only thing you can do for this via .htaccess is require a referer that comes from your site, and it is NOT secure. it is beyond trivial to forge a referer and anyone could suck your site dry.
您可以通过 .htaccess 为此做的唯一一件事是需要来自您网站的引用,并且它不安全。伪造推荐人绝非易事,任何人都可以吸干您的网站。
The ONLYway you'll be able to have only logged-in users download the file is by placing the file OUTSIDE of your webroot and having a PHP script mediate access. In short:
只有登录用户才能下载文件的唯一方法是将文件放在 webroot 之外,并让 PHP 脚本进行中介访问。简而言之:
if (is_logged_in()) {
readfile($name_of_file);
} else {
die("Access denied");
}
回答by Nick
Are you using a scripting language such as PHP to handle your website? if so then the best way is to create a script that handles "delivery" of the content. Save the content in a protected directory, ie above your http or www folder. Then when the user is logged in, the link to your content would look like this:
您是否使用 PHP 等脚本语言来处理您的网站?如果是这样,那么最好的方法是创建一个脚本来处理内容的“交付”。将内容保存在受保护的目录中,即在您的 http 或 www 文件夹上方。然后当用户登录时,指向您内容的链接将如下所示:
http://yoursite.com/listen.php?song_id=xxx
http://yoursite.com/listen.php?song_id=xxx
the script will locate the required song by the id and then present the data to the user
脚本将通过 id 定位所需的歌曲,然后将数据呈现给用户
![php Laravel 到 SQL Server (sqlsrv)。[PDOException] 找不到驱动程序](/res/img/loading.gif)