fileinput上传和预览,保护文件

时间:2017-12-11 14:50:52

标签: php jquery security

我想知道的是如何保护这些文件免受无限制访问。我可以理解,如果这些文件不在公共文件夹中,那么JQuery插件将无法加载它们,但是每个人都可以猜到最后的链接,例如用户可以只输入链接并下载一些其他用户的图片,有什么方法可以保护它吗?

JQuery的:

function files(sort) {
        $.ajax({
            url: 'ajaxScripts/getFile.php',
            type: "POST",
            dataType: 'json',
            data: {sort: sort},
            async: false,
            success: function (data) {
                var preview = [];
                var test = [];
                $.each(data, function (key, item) {
                    preview.push(item.RelativePath);
                    console.log(item);
                    test.push({type: item.Type, caption: item.Title + ' ' + item.ExamDate, key: item.UserExamsID, url: 'ajaxScripts/deleteFile.php', downloadUrl: item.RelativePath});
                });
                $("#file-input").fileinput({
                    theme: 'fa',
                    uploadUrl: 'ajaxScripts/upload.php',
                    maxFileSize: 10000,
                    overwriteInitial: false,
                    initialPreview: preview,
                    initialPreviewAsData: true,
                    initialPreviewConfig: test,
                    purifyHtml: true

                });

            }, error: function (XMLHttpRequest, textStatus, errorThrown) {
                console.log("XMLHttpRequest=" + XMLHttpRequest + "; textStatus=" + textStatus + "; errorThrown=" + errorThrown);
            }
        });
    }

PHP: getFile.php     

require_once 'DBconfig.php';
header('Content-Type: application/json');
session_start();
if (!isset($_SESSION['user_session'])) {
    header("Location: /index.html");
    die();
}
$sort = $_POST['sort'];
$userID = $_SESSION['user_session'];


try {
    $stmt = $db_con->prepare("SELECT `RelativePath`,`Title`,`ExamDate`, `UserExamsID`, `Type` FROM `userexams` WHERE `UserID`=:userid AND UserExamsID>21 ORDER BY `ExamDate` ASC");
    $stmt->bindParam(':userid', $userID, PDO::PARAM_INT);
    $stmt->execute();
    $res = $stmt->fetchAll(PDO::FETCH_ASSOC);
    echo json_encode($res);
} catch (PDOException $e) {
    echo $e->getMessage();
}

和upload.php 我不会发布代码,但它基本上会创建一个文件夹,其中userid作为名称在web根文件夹中,所以/ uploads / {userid}并以最初的名称存储文件+最后一个随机字符串以避免相同名称文件冲突,然后写入数据库的路径,以及它的原始文件名和它所属的用户ID。

1 个答案:

答案 0 :(得分:0)

将上传的文件存储在webroot之外,并在检查用户有权访问后使用PHP返回它们。例如:

// Let the browser know to expect a binary file
header('Content-Type: application/octet-stream');
session_start();
if (!isset($_SESSION['user_session'])) {
    // Block access for users not logged in
    header("HTTP/1.0 403 Forbidden");
    die();
}
$userID = $_SESSION['user_session'];

$path = $_GET['path'];
// Check the logged in user is requesting one of their own files
// (Probably want something more elaborate; this is just an example)
if (strpos($path, '/uploads/' . $userID . '/') === false) {
    header("HTTP/1.0 403 Forbidden");
    die();
}

// Security check the request is valid (again, just one example)
if (strpos($path, '..') !== false) {
    header("HTTP/1.0 403 Forbidden");
    die();
}

// Return the image
readfile('/path/to/uploads' . $path);

无论您想从客户端请求图像,只需使用路径作为参数调用此脚本。如果您想以内联方式显示图片,则需要确定正确的MIME类型并将其设置在Content-Type标头中。