douyinbo3361
douyinbo3361
2017-05-22 17:23
浏览 10
已采纳

我如何拒绝直接访问目录,但允许从PHP脚本中进行访问?

I'm developing a web application and I need to save and show images and pdf documents.

I wanted to deny direct access to the images and documents and to its container file. I mean, that when someone try to acess via url to the folder, should receive a 403-forbidden error.

For this I created a .htaccess file inside the folder like this:

Order deny,allow
Deny from all 

Using my web application, via a php script, there is no problem accessing the pdf docments like this

header('content-type: application/pdf');
readfile('../../../files/'.$document);

But when I try to access the images using <img style=max-width:100% src=../files/'.$image.'>' my access is denied and I receive a http status code 403 forbidden.

How can I access the images using my web application, but denying the direct access to the images?

Also I would like to know why I can access the pdf documents, but I can't access the images.

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 邀请回答

2条回答 默认 最新

  • doubu0897
    doubu0897 2017-05-22 17:30
    已采纳

    I would use a handler for either of these file types.

    Place the files outside of the web accessible file system. i.e. If your web root is /var/www/html then create /var/www/files/ directory and store all your files in there.

    $file_id = intval($_REQUEST['file_id']);
    
    $sql = sprintf("SELECT * FROM files WHERE file_id=%d",$file_id);
    $query = $mysqli->query($sql);
    $file = $result->fetch_assoc()
    
    // add business logic for 
    // if $user_id is allowed to view $file_id
    
    if (preg_match("/\.pdf$/i",$file['filename'])){
        header('content-type: application/pdf');
    } else  if (preg_match("/\.(jpg|gif|png)$/i",$file['filename'])){
        header('content-type: application/pdf');
    } else {
        die("Unknown file type");
    }
    
    $full_path = sprintf("/var/www/files/%s",$file['filename']);
    readfile($full_path);
    

    This would allow you to use your application logic to determine which files should be accessed by a user, record the access and keep them out of the web accessible directory.

    So instead of using something like this

    <img style=max-width:100% src=../files/'.$image.'>'
    

    I would suggest using a syntax similar to this for handling images

    <img style=max-width:100% src=/handler.php?file_id='.$file_id.'>'
    

    and a link like this for downloading PDFs

    <img style=max-width:100% src=/handler.php?file_id='.$file_id.'>'
    

    It should be pretty straight forward assuming your have a database of PDFs and images. Something simple like this.

    CREATE TABLE `files` (
      `file_id` int(11) unsigned NOT NULL AUTO_INCREMENT,
      `file_name` varchar(255) NOT NULL DEFAULT '',
      PRIMARY KEY (`file_id`)
    ) ENGINE=InnoDB DEFAULT CHARSET=latin1;
    
    点赞 评论
  • dongpin1059
    dongpin1059 2017-05-23 02:44

    Try with below rule,

    Order deny,allow
    Deny from all
    allow from 127.0.0.1
    

    It will allow from your local server address on which your web app is hosted.

    Edit:

    Options -Indexes
    

    Use above to turn off directory listing too, it will give forbidden error.

    点赞 评论

相关推荐