我如何拒绝直接访问目录,但允许从PHP脚本中进行访问?
I'm developing a web application and I need to save and show images and pdf documents.
I wanted to deny direct access to the images and documents and to its container file. I mean, that when someone try to acess via url to the folder, should receive a 403-forbidden error.
For this I created a .htaccess file inside the folder like this:
Order deny,allow
Deny from all
Using my web application, via a php script, there is no problem accessing the pdf docments like this
header('content-type: application/pdf');
readfile('../../../files/'.$document);
But when I try to access the images using <img style=max-width:100% src=../files/'.$image.'>' my access is denied and I receive a http status code 403 forbidden.
How can I access the images using my web application, but denying the direct access to the images?
Also I would like to know why I can access the pdf documents, but I can't access the images.
我正在开发一个Web应用程序,我需要保存并显示图像和pdf文档。 p> \ n
我想拒绝直接访问图像和文档及其容器文件。 我的意思是,当有人试图通过url访问该文件夹时,应该收到403-forbidden错误。 p>
为此,我在文件夹中创建了一个.htaccess文件,如下所示: p>
命令拒绝,允许
Deny来自所有
code> pre>
使用我的Web应用程序,通过php脚本,没有 访问这样的pdf文档的问题 p>
header('content-type:application / pdf');
readfile('../../../ files /' 。$ document);
code> pre>
但是当我尝试使用&lt; img style = max-width:100%src = .. /访问图像时 文件/'。$ image。'&gt;' code>我的访问被拒绝,我收到了禁止的http状态代码403. p>
如何使用我的网络应用程序访问图像 ,但拒绝直接访问图像? p>
此外,我想知道为什么我可以访问pdf文档,但我无法访问图像。 p>
DIV>
I would use a handler for either of these file types.
Place the files outside of the web accessible file system. i.e. If your web root is /var/www/html then create /var/www/files/ directory and store all your files in there.
$file_id = intval($_REQUEST['file_id']);
$sql = sprintf("SELECT * FROM files WHERE file_id=%d",$file_id);
$query = $mysqli->query($sql);
$file = $result->fetch_assoc()
// add business logic for
// if $user_id is allowed to view $file_id
if (preg_match("/\.pdf$/i",$file['filename'])){
header('content-type: application/pdf');
} else if (preg_match("/\.(jpg|gif|png)$/i",$file['filename'])){
header('content-type: application/pdf');
} else {
die("Unknown file type");
}
$full_path = sprintf("/var/www/files/%s",$file['filename']);
readfile($full_path);
This would allow you to use your application logic to determine which files should be accessed by a user, record the access and keep them out of the web accessible directory.
So instead of using something like this
<img style=max-width:100% src=../files/'.$image.'>'
I would suggest using a syntax similar to this for handling images
<img style=max-width:100% src=/handler.php?file_id='.$file_id.'>'
and a link like this for downloading PDFs
<img style=max-width:100% src=/handler.php?file_id='.$file_id.'>'
It should be pretty straight forward assuming your have a database of PDFs and images. Something simple like this.
CREATE TABLE `files` (
`file_id` int(11) unsigned NOT NULL AUTO_INCREMENT,
`file_name` varchar(255) NOT NULL DEFAULT '',
PRIMARY KEY (`file_id`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1;
Try with below rule,
Order deny,allow
Deny from all
allow from 127.0.0.1
It will allow from your local server address on which your web app is hosted.
Edit:
Options -Indexes
Use above to turn off directory listing too, it will give forbidden error.