保護文件的下載服務器上的＆

Question

我使用如下的PHP文件的代碼，列出一個目錄中的文件從該用戶將檢查所需的文件和下載爲zip文件.htacess可見的文件夾中

我有2個問題

1）如何保護文件免受直接使用url下載我希望文件只能通過downloadlist.php的表單操作下載（如果我在.htaccess中保留denyall，下載的文件是損壞）

2）此代碼還顯示列表中的.htaccess下載（所以我懷疑是他們的方式只列出Docs，xls，pdf' S）

如果需要

<?php 
function listDir($dirName) 
{ 
    ?><form name="filelist" action="downloadList.php" method="POST"><?php echo "\n"; 
    if ($handle = opendir($dirName)) { 
     while (false !== ($file = readdir($handle))) { 
      if ($file != "." && $file != "..") { ?> <input type=checkbox name="file[]" value="<?php echo "$file";?>"><?php echo "$file"; ?><br><?php echo "\n"; 
      } 
     } 
    closedir($handle); 
    } 
    ?><br><input type="submit" name="formSubmit" value="Zip and download" /></form><?php 
} 
listDir('./fold'); ?> 

downloadlist.php我可以提供downloadlist.php

<?php 
// function download($file) downloads file provided in $file 
function download($file) { 
    header('Content-Description: File Transfer'); 
    header('Content-Type: application/octet-stream'); 
    header('Content-Disposition: attachment; filename='.basename($file)); 
    header('Content-Transfer-Encoding: binary'); 
    header('Expires: 0'); 
    header('Cache-Control: must-revalidate, post-check=0, pre-check=0'); 
    header('Pragma: public'); 
    header('Content-Length: ' . filesize($file)); 
    ob_clean(); 
    flush(); 
    readfile($file); 
    exit; 
} 

$files = $_POST['file']; 
if(empty($files)) 
{ 
    echo("You haven't selected any file to download."); 
} 
else 
{ 
    $zip = new ZipArchive(); 
    $filename = time() . "archive.zip"; //adds timestamp to zip archive so every file has unique filename 
    if ($zip->open($filename, ZIPARCHIVE::CREATE)!==TRUE) { // creates new zip archive 
      exit("Cannot open <$filename>\n"); 
    } 
    $N = count($files); 
    for($i=0; $i < $N; $i++) 
    { 
     $zip->addFile($files[$i], $files[$i]); //add files to archive 
    } 
    $numFiles = $zip->numFiles; 
    $zip->close(); 

    $time = 8; //how long in seconds do we wait for files to be archived. 
    $found = false; 
    for($i=0; $i<$time; $i++){ 

    if($numFiles == $N){ // check if number of files in zip archive equals number of checked files 
     download($filename); 
     $found = true; 
     break; 
    } 
    sleep(1); // if not found wait one second before continue looping 
} 

if($found) { } 
    else echo "Sorry, this is taking too long"; 
} ?> 

Answer 1

在.htacccess文件中加入這一行fold目錄！

deny from all 

和編輯這一行：

$zip->addFile($files[$i], $files[$i]); //add files to archive 

要：

$zip->addFile('./fold/'.$files[$i], $files[$i]); //add files to archive 

而且listDir功能：

<?php 

function listDir($dirName) 
{ 
    $forbidden_files=array('.htaccess','.htpasswd'); 
    $allow_ext=array('.gif','.png','.bmp','.jpeg','.jpg','.pdf','.doc','.docx','.xls','.xlsx','.php'); 
    ?><form name="filelist" action="downloadList.php" method="POST"><?php echo "\n"; 
    if ($handle = opendir($dirName)) { 
     while (false !== ($file = readdir($handle)) ) { 
      $allowed=(strpos($file,'.')!==false && in_array(substr($file,strpos($file,'.')) ,$allow_ext)); 

      if ($file != "." && $file != ".." && $allowed) { ?> <input type=checkbox name="file[]" value="<?php echo "$file";?>"><?php echo "$file"; ?><br><?php echo "\n"; 
      } 
     } 
    closedir($handle); 
    } 
    ?><br><input type="submit" name="formSubmit" value="Zip and download" /></form><?php 
} 
listDir('./fold'); ?> 

Answer 2

1. 添加到您的htaccess文件：

   <FilesMatch "\.php$"> 
       allow from all 
   </FilesMatch> 
   deny from all 
   

2. 變化

   ($file != "." && $file != "..") 
   

   要

   ($file != "." && $file != ".." && $file != ".htaccess") 
   

   或者，如果你只想列出具有特定擴展名的文件：

   ((substr($file, -strlen(".pdf")) === ".pdf" || 
   (substr($file, -strlen(".xls")) === ".xls" || 
   (substr($file, -strlen(".doc")) === ".doc")