开发者

indirect path for download files

开发者 https://www.devze.com 2022-12-24 10:48 出处:网络
i need to create a download section on my website, but as i concern , i want my users can only download fileswith indirect links, to pr开发者_如何学JAVAevent them from sharing my files onmy server

i need to create a download section on my website , but as i concern , i want my users can only download files with indirect links , to pr开发者_如何学JAVAevent them from sharing my files on my server

such as :

http://mysite.com/download/12.zip

to

http://mysite.com/download/12

is there a way in php to do so ?


You may want to look into checking the value of $_SERVER['HTTP_REFERER'] before allowing a download to make sure they are not coming from another page.

As for hiding just do it in the form

yoursite.com/download.php?file=filename

Then in your code just readfile () the contents of a the file in a hidden directory - you can deny physical access with .htaccess if you are really concerned, or you can start the directory name with a . which will again stop outside access. It's not really necessary though as there will no way of knowing (or guessing) the hidden directory name.

As a side note if you are doing any database access and are offering large files for download you must close the database connection before the readfile () as the connection will be considered 'open' for the entire duration (even if it is a ten minute download) and it's very easy to hit the max connection limit in this situation.


Some methods to prevent hotlinking I can think of (in growing complexity order).

  1. Check $_SERVER['HTTP_REFERER']; if it belongs to your site or it's blank, allow download; if it belongs to other site, deny download.

  2. Store a random ID in session when the user visits the listing and read it at download script.

  3. Generate a temporary link with a random ID: /download-4Gaw4MWfTH6dB9UgKILSFc2UlnIPRhMv/12.zip

(I'm not sure of what you meant in your example but removing the file extension from the URL is hardly a security measure.)


Store the actual files outside of the public html area, then in your PHP script simply send the appropriate headers (Content-Type, Content-Length, Content-Disposition), and finally readfile() the file from the private location.


reko_t is on the spot here.

If your document root is ie in /var/www/mysite you can use a folder like say /var/www/files. This will make your files inaccessible from the web. Then you have to create a download script in php. Use can use realpath to generate the absolute path if you need to use relative paths ($filename = realpath("../files/$fileid.$fileext");).

Take a look at the user comments in the readfile documentation on php.net and look for the function readfile_chunked. I am using that function in my own code. Very useful.


You could stream your files trough php to the end user. This would make it possible it hide and protect your files at the same time.

Take a look at the php header page if you scroll down there will be quite a lot examples on how to stream files trough php. Most of them you can just copy and put to use.

0

精彩评论

暂无评论...
验证码 换一张
取 消