我在服务器中有一些文件可供用户下载,但用户必须登录才能下载这些文件,因此文件格式为rar或zip。有没有办法验证在php下载文件之前已经记录了使用?
<?php
session_start();
if (isset($_COOKIE['username']) AND isset($_COOKIE['hash']) {
if (isset($_SESSION['url']) {
Header("Location:".$_SESSION['url']);
}
}
?>
答案 0 :(得分:1)
是的,下面是使用方法 step1:阻止zip文件直接访问
订单允许,否认 否认所有人
步骤2:
<?php
function output_file($file, $name, $mime_type='')
{
if(!is_readable($file)) die('File not found or inaccessible!');
$size = filesize($file);
$name = rawurldecode($name);
$known_mime_types=array(
"htm" => "text/html",
"exe" => "application/octet-stream",
"zip" => "application/zip",
"doc" => "application/msword",
"jpg" => "image/jpg",
"php" => "text/plain",
"xls" => "application/vnd.ms-excel",
"ppt" => "application/vnd.ms-powerpoint",
"gif" => "image/gif",
"pdf" => "application/pdf",
"txt" => "text/plain",
"html"=> "text/html",
"png" => "image/png",
"jpeg"=> "image/jpg"
);
if($mime_type==''){
$file_extension = strtolower(substr(strrchr($file,"."),1));
if(array_key_exists($file_extension, $known_mime_types)){
$mime_type=$known_mime_types[$file_extension];
} else {
$mime_type="application/force-download";
};
};
//turn off output buffering to decrease cpu usage
@ob_end_clean();
// required for IE, otherwise Content-Disposition may be ignored
if(ini_get('zlib.output_compression'))
ini_set('zlib.output_compression', 'Off');
header('Content-Type: ' . $mime_type);
header('Content-Disposition: attachment; filename="'.$name.'"');
header("Content-Transfer-Encoding: binary");
header('Accept-Ranges: bytes');
// multipart-download and download resuming support
if(isset($_SERVER['HTTP_RANGE']))
{
list($a, $range) = explode("=",$_SERVER['HTTP_RANGE'],2);
list($range) = explode(",",$range,2);
list($range, $range_end) = explode("-", $range);
$range=intval($range);
if(!$range_end) {
$range_end=$size-1;
} else {
$range_end=intval($range_end);
}
$new_length = $range_end-$range+1;
header("HTTP/1.1 206 Partial Content");
header("Content-Length: $new_length");
header("Content-Range: bytes $range-$range_end/$size");
} else {
$new_length=$size;
header("Content-Length: ".$size);
}
/* Will output the file itself */
$chunksize = 1*(1024*1024); //you may want to change this
$bytes_send = 0;
if ($file = fopen($file, 'r'))
{
if(isset($_SERVER['HTTP_RANGE']))
fseek($file, $range);
while(!feof($file) &&
(!connection_aborted()) &&
($bytes_send<$new_length)
)
{
$buffer = fread($file, $chunksize);
echo($buffer);
flush();
$bytes_send += strlen($buffer);
}
fclose($file);
} else
//If no permissiion
die('Error - can not open file.');
//die
die();
}
//Set the time out
set_time_limit(0);
//path to the file
$file_path='files/'.$_REQUEST['filename'];
//Call the download function with file path,file name and file type
if($_SESSION['userloggedin']){
output_file($file_path, ''.$_REQUEST['filename'].'', 'text/plain');
}else{
echo "login";
}
?>
答案 1 :(得分:1)
您可以像投放的任何其他内容一样执行此操作。 php文件不必返回text/html文档。它可以提供任何数据,包括图像,pdf或可执行文件。您只需使用正确的标题提供服务。
<?php
if(isset($_COOKIE['username']) && isset($_COOKIE['hash'])
{
//The user is logged in... we have no clue if the user is allowed to download the file
header( "Content-Type: image/jpeg" );
header( "Cache-Control: private, max-age=0, no-cache" );
file_get_contents( "images/image.jpg" );
exit();
} else {
header('HTTP/1.0 403 Forbidden');
exit();
}
缓存控制标头用于防止客户端和服务器之间的服务器缓存此请求。 ISP有时会这样做以更快地提供公共文件。应根据您所服务的文件将内容类型标头设置为正确的mime类型。您可以在wikipedia上找到常见的mime类型列表。
重要
这个答案使用'file_get_contents(...)'。您应该始终确保传递给此函数的URL是理智的。这意味着:它应该指向一个现有文件,它应该只指向您实际想要提供的文件。如果有人通过'../../../.htaccess',您不希望意外地将该文件的内容泄露给用户!