問(wèn)題描述
我正在開(kāi)發(fā)一個(gè)允許注冊(cè)用戶(hù)(可以是任何人)上傳文件的系統(tǒng).我阻止了 mime 類(lèi)型等,試圖將文件限制為 .doc、.docx 和 .pdf 類(lèi)型,但為了提高安全性,它們被上傳到 webroot 之外的文件夾.
I am developing a system which allows registered users (who could be anybody) to upload files. I've block mime-types etc. to attempt to restrict the files to .doc, .docx and .pdf types, but for additional security, they are uploaded to a folder outside the webroot.
其他用戶(hù)可以選擇下載文件.我如何允許他們這樣做?顯然,我不能只添加指向該文件的鏈接,因?yàn)樗?webroot 之外.我不確定如何訪問(wèn)該文件!我想我可以使用 php 文件函數(shù)來(lái)訪問(wèn)該文件,但是我如何將它提供"給請(qǐng)求它的用戶(hù)?
Other users can then choose to download the files. How do I allow them to do that? Obviously I can't just put in a link to the file, as it's outside the webroot. I'm not sure how to reach the file though! I presume I can use the php file functions to get to the file, but how do I then 'serve it up' to the user who has requested it?
這一切可能會(huì)帶來(lái)哪些安全隱患?
What security implications might all of this have?
謝謝.
推薦答案
您需要一個(gè)執(zhí)行以下操作的 PHP 腳本:
You need a PHP script that does the following:
- 正確設(shè)置內(nèi)容類(lèi)型標(biāo)頭(取決于用戶(hù)正在下載的內(nèi)容)
- 正確設(shè)置內(nèi)容長(zhǎng)度標(biāo)頭(取決于文件大小)
- 打開(kāi)文件進(jìn)行讀取(可以使用fopen)
- 讀取文件并將其內(nèi)容輸出到輸出流
- 完成
您也可以使用 readfile 函數(shù)來(lái)做基本相同的事情.這是 PHP 網(wǎng)站上的一個(gè)示例:
You can also use readfile function to do basically the same. Here's an example from PHP's site:
<?php
$file = 'monkey.gif';
if (file_exists($file)) {
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename='.basename($file));
header('Content-Transfer-Encoding: binary');
header('Expires: 0');
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Pragma: public');
header('Content-Length: ' . filesize($file));
ob_clean();
flush();
readfile($file);
exit;
}
?>
這篇關(guān)于如何允許用戶(hù)下載存儲(chǔ)在 webroot 之外的文件?的文章就介紹到這了,希望我們推薦的答案對(duì)大家有所幫助,也希望大家多多支持html5模板網(wǎng)!