验证下载文件

时间:2014-08-08 10:35:22

标签: javascript php .htaccess

我在服务器中有一些文件可供用户下载,但用户必须登录才能下载这些文件,因此文件格式为rar或zip。有没有办法验证在php下载文件之前已经记录了使用?

<?php
session_start();

if (isset($_COOKIE['username']) AND isset($_COOKIE['hash']) {
    if (isset($_SESSION['url']) {
        Header("Location:".$_SESSION['url']);
    }
}

?>

2 个答案:

答案 0 :(得分:1)

是的,下面是使用方法 step1:阻止zip文件直接访问

  订单允许,否认   否认所有人

步骤2:

<?php
function output_file($file, $name, $mime_type='')
{
 if(!is_readable($file)) die('File not found or inaccessible!');
 $size = filesize($file);
 $name = rawurldecode($name);
 $known_mime_types=array(
    "htm" => "text/html",
    "exe" => "application/octet-stream",
    "zip" => "application/zip",
    "doc" => "application/msword",
    "jpg" => "image/jpg",
    "php" => "text/plain",
    "xls" => "application/vnd.ms-excel",
    "ppt" => "application/vnd.ms-powerpoint",
    "gif" => "image/gif",
    "pdf" => "application/pdf",
    "txt" => "text/plain",
    "html"=> "text/html",
    "png" => "image/png",
    "jpeg"=> "image/jpg"
 );

 if($mime_type==''){
     $file_extension = strtolower(substr(strrchr($file,"."),1));
     if(array_key_exists($file_extension, $known_mime_types)){
        $mime_type=$known_mime_types[$file_extension];
     } else {
        $mime_type="application/force-download";
     };
 };

 //turn off output buffering to decrease cpu usage
 @ob_end_clean(); 

 // required for IE, otherwise Content-Disposition may be ignored
 if(ini_get('zlib.output_compression'))
 ini_set('zlib.output_compression', 'Off');
 header('Content-Type: ' . $mime_type);
 header('Content-Disposition: attachment; filename="'.$name.'"');
 header("Content-Transfer-Encoding: binary");
 header('Accept-Ranges: bytes');

 // multipart-download and download resuming support
 if(isset($_SERVER['HTTP_RANGE']))
 {
    list($a, $range) = explode("=",$_SERVER['HTTP_RANGE'],2);
    list($range) = explode(",",$range,2);
    list($range, $range_end) = explode("-", $range);
    $range=intval($range);
    if(!$range_end) {
        $range_end=$size-1;
    } else {
        $range_end=intval($range_end);
    }

    $new_length = $range_end-$range+1;
    header("HTTP/1.1 206 Partial Content");
    header("Content-Length: $new_length");
    header("Content-Range: bytes $range-$range_end/$size");
 } else {
    $new_length=$size;
    header("Content-Length: ".$size);
 }

 /* Will output the file itself */
 $chunksize = 1*(1024*1024); //you may want to change this
 $bytes_send = 0;
 if ($file = fopen($file, 'r'))
 {
    if(isset($_SERVER['HTTP_RANGE']))
    fseek($file, $range);

    while(!feof($file) && 
        (!connection_aborted()) && 
        ($bytes_send<$new_length)
          )
    {
        $buffer = fread($file, $chunksize);
        echo($buffer); 
        flush();
        $bytes_send += strlen($buffer);
    }
 fclose($file);
 } else
 //If no permissiion
 die('Error - can not open file.');
 //die
die();
}
//Set the time out
set_time_limit(0);

//path to the file
$file_path='files/'.$_REQUEST['filename'];


//Call the download function with file path,file name and file type

if($_SESSION['userloggedin']){
output_file($file_path, ''.$_REQUEST['filename'].'', 'text/plain');
}else{
    echo "login";
}
?>

答案 1 :(得分:1)

您可以像投放的任何其他内容一样执行此操作。 php文件不必返回text/html文档。它可以提供任何数据,包括图像,pdf或可执行文件。您只需使用正确的标题提供服务。

<?php
if(isset($_COOKIE['username']) && isset($_COOKIE['hash'])
{
  //The user is logged in... we have no clue if the user is allowed to download the file
  header( "Content-Type: image/jpeg" );
  header( "Cache-Control: private, max-age=0, no-cache" );

  file_get_contents( "images/image.jpg" );
  exit();
} else {
  header('HTTP/1.0 403 Forbidden');
  exit();
}

缓存控制标头用于防止客户端和服务器之间的服务器缓存此请求。 ISP有时会这样做以更快地提供公共文件。应根据您所服务的文件将内容类型标头设置为正确的mime类型。您可以在wikipedia上找到常见的mime类型列表。

重要

这个答案使用'file_get_contents(...)'。您应该始终确保传递给此函数的URL是理智的。这意味着:它应该指向一个现有文件,它应该只指向您实际想要提供的文件。如果有人通过'../../../.htaccess',您不希望意外地将该文件的内容泄露给用户!