I'm currently working on a file uploading sript in PHP, but i'm kind of stuck. Users are allowed to upload files such as PHP and JS, but i don't want the scripts to run开发者_开发百科 when a user is trying to download them. Is it possible to block that somehow using htaccess or something?
You can write a wrapper php file that sends the file content to the browser. But first you have to make sure that your uploaded files are stored outside the web root so that no one can access them via browser, unintentionally or otherwise.
The wrapper php script can go something along these lines:
<?php
$f = $_GET[ "f" ];
if ( filename_is_ok( $f ) && is_file( "../some_folder_outside_www/$f" ) )
{
header( "Content-Type: text/plain" );
header( "Content-Disposition: attachment; filename=$f" );
header( "Content-Length: " . filesize( "../some_folder_outside_www/$f" ) );
readfile( "../some_folder_outside_www/$f" );
}
else
{
header("HTTP/1.0 404 Not Found");
echo "File not found (or you're not supposed to view this file)";
}
function filename_is_ok( $f )
{
// You'll have to implement it yourself
return false;
}
// example calls:
// http://website.com/download.php?f=test.php
// http://website.com/download.php?f=test.js
?>
You can change the file extension of the uploads, like
my-file.php.txt
my-file.js.txt
Assuming that .txt files don´t get processed by php on your server...
精彩评论