doulandai0641 2011-06-29 06:53
浏览 19
已采纳

如何在PHP中实现有限的文件访问?

I'm working on an application (LAMP) where users can upload files to the server but cannot share it's files with other users. So, my problem is to implement a secure mechanism that ensures user A cannot access to files uploaded by user B.

My approach is this:

  1. Each user has a folder for its files (/upload/userA)
  2. Add a .htaccess file to redirect all access to /upload folder to a PHP script
  3. Check if the user has permission to access to the subdirectory (/userA)

Can you see any drawback in this approach? Any better alternative?

  • 写回答

1条回答 默认 最新

  • douyan8070 2011-06-29 07:16
    关注

    Instead of making hard references to files, you can make something like download.php?id=1234 and just check for 1234 from database whether user has privileges to download the file and do not show the physical path to user at all.

    With HTTP headers, you can force users to download file with a filename you have desired (stored on database). Allowing users to directly access their files from physical paths is not a good idea and if you try to make a hook with .htaccess upon each request, that will be more expensive, indeed.

    Most systems consider generating some random strings or GUIDs that you can't simply access someone else's file by changing a character randomly. i.e. in Facebook images, ../187170_697610597_4628627_q.jpg there is that complicated URL which users can directly access but can not guess another image URL by changing a few digits, that's too difficult but not safe and does not meet your requirements.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥20 c语言写的8051单片机存储器mt29的模块程序
  • ¥60 求直线方程 使平面上n个点在直线同侧并且距离总和最小
  • ¥50 java算法,给定试题的难度数量(简单,普通,困难),和试题类型数量(单选,多选,判断),以及题库中各种类型的题有多少道,求能否随机抽题。
  • ¥50 rk3588板端推理
  • ¥250 opencv怎么去掉 数字0中间的斜杠。
  • ¥15 这种情况的伯德图和奈奎斯特曲线怎么分析?
  • ¥250 paddleocr带斜线的0很容易识别成9
  • ¥15 电子档案元素采集(tiff及PDF扫描图片)
  • ¥15 flink-sql-connector-rabbitmq使用
  • ¥15 zynq7015,PCIE读写延时偏大