我的的public_html文件夹外存储为安全起见文件。不过,我想以某种方式链接到特定的文件,其中用户可以下载这些文件中的一个。
I have files stored outside the public_html folder for security purposes. However, I would like to link to specific files somehow where a user could download one of these files.
我使用的是jQuery脚本,让我到指定服务器路径作为上传的文件夹,它并上传的public_html文件夹之外。
I am using a jquery script that allows me to specify a server PATH as an upload folder, and it does upload outside the public_html folder.
唯一的问题是它需要我指定的URL这是用来下载的文件的上传路径。我想我也许可以是这样的:
The only problem is it requires me to specify a URL to the "upload path" which is used to download the files. I thought I might be able to something like:
public_html/redirect (contains htaccess which forwards all requests to "hiding" folder)
hiding (outside public_html)
A user clicks /redirect/file.doc and they download a file located at hiding/file.doc
这可能吗?如果没有,我怎么可以给特定的文件下载文件访问我的public_html目录之外?我知道我已经看到过...它做对其他脚本
Is this possible? If not, how can I give specific file download access to files outside of my public_html directory? I know I've seen it done on other scripts before...
您可以用这样的方法之一返回文件内容和文件信息头给用户的浏览器,只要确保没有其他在此之前被输出。
You can use method like this one to return file contents and file information headers to users browser, just make sure that nothing else is outputted before this.
我建议你把这个单独的文件和调用,例如的download.php
。
I suggest that you put this to separate file and call that for example download.php
.
function returnFile( $filename ) {
// Check if file exists, if it is not here return false:
if ( !file_exists( $filename )) return false;
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
// Suggest better filename for browser to use when saving file:
header('Content-Disposition: attachment; filename='.basename($filename));
header('Content-Transfer-Encoding: binary');
// Caching headers:
header('Expires: 0');
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Pragma: public');
// This should be set:
header('Content-Length: ' . filesize($filename));
// Clean output buffer without sending it, alternatively you can do ob_end_clean(); to also turn off buffering.
ob_clean();
// And flush buffers, don't know actually why but php manual seems recommending it:
flush();
// Read file and output it's contents:
readfile( $filename );
// You need to exit after that or at least make sure that anything other is not echoed out:
exit;
}
// Added to download.php
if (isset($_GET['file'])) {
$filename = '/home/username/public_files/'.$_GET['file'];
returnFile( $filename );
}
这是基本的例子,并没有考虑到用户可能会尝试采取 $的一些邪恶的优点_ GET
未正确过滤。
这基本上意味着该用户可以例如,如果某些条件适用检索 passwd文件
文件或其他敏感信息。
This means basically that user can for example retrieve passwd
file or some other sensitive information if certain conditions apply.
例如,检索 / etc / passwd文件
:
只需指向浏览器 http://server.com/download.php?file=../../../etc/passwd
和服务器回报文件。所以真正使用之前,你应该了解如何正确检查和消毒任何用户提供的参数。
Just point browser to http://server.com/download.php?file=../../../etc/passwd
and server returns that file. So before real use you should find out how to properly check and sanitize any user supplied arguments.