douyinbo3361 2017-05-22 17:23
浏览 18
已采纳

我如何拒绝直接访问目录,但允许从PHP脚本中进行访问?

I'm developing a web application and I need to save and show images and pdf documents.

I wanted to deny direct access to the images and documents and to its container file. I mean, that when someone try to acess via url to the folder, should receive a 403-forbidden error.

For this I created a .htaccess file inside the folder like this:

Order deny,allow
Deny from all

Using my web application, via a php script, there is no problem accessing the pdf docments like this

header('content-type: application/pdf');
readfile('../../../files/'.$document);

But when I try to access the images using <img style=max-width:100% src=../files/'.$image.'>' my access is denied and I receive a http status code 403 forbidden.

How can I access the images using my web application, but denying the direct access to the images?

Also I would like to know why I can access the pdf documents, but I can't access the images.

  • 写回答

2条回答 默认 最新

  • doubu0897 2017-05-22 17:30
    关注

    I would use a handler for either of these file types.

    Place the files outside of the web accessible file system. i.e. If your web root is /var/www/html then create /var/www/files/ directory and store all your files in there. 

    $file_id = intval($_REQUEST['file_id']);

$sql = sprintf("SELECT * FROM files WHERE file_id=%d",$file_id);
$query = $mysqli->query($sql);
$file = $result->fetch_assoc()

// add business logic for 
// if $user_id is allowed to view $file_id

if (preg_match("/\.pdf$/i",$file['filename'])){
    header('content-type: application/pdf');
} else  if (preg_match("/\.(jpg|gif|png)$/i",$file['filename'])){
    header('content-type: application/pdf');
} else {
    die("Unknown file type");
}

$full_path = sprintf("/var/www/files/%s",$file['filename']);
readfile($full_path);

    This would allow you to use your application logic to determine which files should be accessed by a user, record the access and keep them out of the web accessible directory.

    So instead of using something like this

    <img style=max-width:100% src=../files/'.$image.'>'

    I would suggest using a syntax similar to this for handling images

    <img style=max-width:100% src=/handler.php?file_id='.$file_id.'>'

    and a link like this for downloading PDFs

    <img style=max-width:100% src=/handler.php?file_id='.$file_id.'>'

    It should be pretty straight forward assuming your have a database of PDFs and images. Something simple like this.

    CREATE TABLE `files` (
  `file_id` int(11) unsigned NOT NULL AUTO_INCREMENT,
  `file_name` varchar(255) NOT NULL DEFAULT '',
  PRIMARY KEY (`file_id`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1;
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 stm32开发clion时遇到的编译问题
  • ¥15 lna设计 源简并电感型共源放大器
  • ¥15 如何用Labview在myRIO上做LCD显示?(语言-开发语言)
  • ¥15 Vue3地图和异步函数使用
  • ¥15 C++ yoloV5改写遇到的问题
  • ¥20 win11修改中文用户名路径
  • ¥15 win2012磁盘空间不足,c盘正常,d盘无法写入
  • ¥15 用土力学知识进行土坡稳定性分析与挡土墙设计
  • ¥70 PlayWright在Java上连接CDP关联本地Chrome启动失败,貌似是Windows端口转发问题
  • ¥15 帮我写一个c++工程