验证下载文件

Question

我在服务器中有一些文件可供用户下载，但用户必须登录才能下载这些文件，因此文件格式为 rar 或 zip。在 php 中下载文件之前，有什么方法可以验证使用是否已记录？

<?php
session_start();

if (isset($_COOKIE['username']) AND isset($_COOKIE['hash']) {
    if (isset($_SESSION['url']) {
        Header("Location:".$_SESSION['url']);
    }
}

?>

Answer 1

是的，下面是使用方法 step1：防止zip文件直接访问

命令允许，拒绝 否认一切

第二步：

<?php
function output_file($file, $name, $mime_type='')
{
 if(!is_readable($file)) die('File not found or inaccessible!');
 $size = filesize($file);
 $name = rawurldecode($name);
 $known_mime_types=array(
    "htm" => "text/html",
    "exe" => "application/octet-stream",
    "zip" => "application/zip",
    "doc" => "application/msword",
    "jpg" => "image/jpg",
    "php" => "text/plain",
    "xls" => "application/vnd.ms-excel",
    "ppt" => "application/vnd.ms-powerpoint",
    "gif" => "image/gif",
    "pdf" => "application/pdf",
    "txt" => "text/plain",
    "html"=> "text/html",
    "png" => "image/png",
    "jpeg"=> "image/jpg"
 );

 if($mime_type==''){
     $file_extension = strtolower(substr(strrchr($file,"."),1));
     if(array_key_exists($file_extension, $known_mime_types)){
        $mime_type=$known_mime_types[$file_extension];
     } else {
        $mime_type="application/force-download";
     };
 };

 //turn off output buffering to decrease cpu usage
 @ob_end_clean(); 

 // required for IE, otherwise Content-Disposition may be ignored
 if(ini_get('zlib.output_compression'))
 ini_set('zlib.output_compression', 'Off');
 header('Content-Type: ' . $mime_type);
 header('Content-Disposition: attachment; filename="'.$name.'"');
 header("Content-Transfer-Encoding: binary");
 header('Accept-Ranges: bytes');

 // multipart-download and download resuming support
 if(isset($_SERVER['HTTP_RANGE']))
 {
    list($a, $range) = explode("=",$_SERVER['HTTP_RANGE'],2);
    list($range) = explode(",",$range,2);
    list($range, $range_end) = explode("-", $range);
    $range=intval($range);
    if(!$range_end) {
        $range_end=$size-1;
    } else {
        $range_end=intval($range_end);
    }

    $new_length = $range_end-$range+1;
    header("HTTP/1.1 206 Partial Content");
    header("Content-Length: $new_length");
    header("Content-Range: bytes $range-$range_end/$size");
 } else {
    $new_length=$size;
    header("Content-Length: ".$size);
 }

 /* Will output the file itself */
 $chunksize = 1*(1024*1024); //you may want to change this
 $bytes_send = 0;
 if ($file = fopen($file, 'r'))
 {
    if(isset($_SERVER['HTTP_RANGE']))
    fseek($file, $range);

    while(!feof($file) && 
        (!connection_aborted()) && 
        ($bytes_send<$new_length)
          )
    {
        $buffer = fread($file, $chunksize);
        echo($buffer); 
        flush();
        $bytes_send += strlen($buffer);
    }
 fclose($file);
 } else
 //If no permissiion
 die('Error - can not open file.');
 //die
die();
}
//Set the time out
set_time_limit(0);

//path to the file
$file_path='files/'.$_REQUEST['filename'];


//Call the download function with file path,file name and file type

if($_SESSION['userloggedin']){
output_file($file_path, ''.$_REQUEST['filename'].'', 'text/plain');
}else{
    echo "login";
}
?>

Answer 2

您可以像您提供的任何其他内容一样执行此操作。 php 文件不必返回text/html 文档。它可以提供任何数据，包括图像、pdf 或可执行文件。您只需使用正确的标题即可。

<?php
if(isset($_COOKIE['username']) && isset($_COOKIE['hash'])
{
  //The user is logged in... we have no clue if the user is allowed to download the file
  header( "Content-Type: image/jpeg" );
  header( "Cache-Control: private, max-age=0, no-cache" );

  file_get_contents( "images/image.jpg" );
  exit();
} else {
  header('HTTP/1.0 403 Forbidden');
  exit();
}

缓存控制标头用于防止客户端和您的服务器之间的服务器缓存此请求。 ISP 有时这样做是为了更快地提供公共文件。内容类型标头应根据您提供的文件设置为正确的 mime 类型。您可以在 wikipedia 上找到常见 mime 类型的列表。

重要

此答案使用“file_get_contents(...)”。您应该始终确保传递给此函数的 url 是健全的。这意味着：它应该指向一个现有的文件，并且它应该只指向一个你真正想要提供的文件。如果有人通过 '../../../.htaccess' 你不想不小心将该文件的内容泄露给用户！