php - 保护文件下载在服务器上的文件夹中 &.htaccess 可见

Question

我正在使用如下的 php 文件代码列出目录中的文件，用户将从中检查所需文件并将它们下载为 zip 文件

我有两个问题

1) 如何保护文件免于使用 url 直接下载我希望文件仅通过 downloadlist.php 的表单操作下载(如果我在 .htaccess 中保留 denyall，下载的文件已损坏)

2) 这段代码还在下载列表中显示了 .htaccess(所以我怀疑他们是只列出 Docs、xls、pdf 的方法)

如果需要我可以提供downloadlist.php

<?php
function listDir($dirName) 
{  
    ?><form name="filelist" action="downloadList.php" method="POST"><?php echo "\n";
    if ($handle = opendir($dirName)) {
        while (false !== ($file = readdir($handle))) {
            if ($file != "." && $file != "..") { ?>    <input type=checkbox name="file[]" value="<?php  echo "$file";?>"><?php  echo "$file"; ?><br><?php  echo "\n";
            }
        }
    closedir($handle);
    }
    ?><br><input type="submit" name="formSubmit" value="Zip and download" /></form><?php
}
listDir('./fold');  ?>

下载列表.php

<?php
// function download($file) downloads file provided in $file
function download($file) {
    header('Content-Description: File Transfer');
    header('Content-Type: application/octet-stream');
    header('Content-Disposition: attachment; filename='.basename($file));
    header('Content-Transfer-Encoding: binary');
    header('Expires: 0');
    header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
    header('Pragma: public');
    header('Content-Length: ' . filesize($file));
    ob_clean();
    flush();
    readfile($file);
    exit;
}

$files = $_POST['file'];
if(empty($files)) 
{
    echo("You haven't selected any file to download.");
} 
else 
{
    $zip = new ZipArchive();
    $filename = time() . "archive.zip"; //adds timestamp to zip archive so every file has unique filename
    if ($zip->open($filename, ZIPARCHIVE::CREATE)!==TRUE) { // creates new zip archive
            exit("Cannot open <$filename>\n");
    }
    $N = count($files);
    for($i=0; $i < $N; $i++)
    {
      $zip->addFile($files[$i], $files[$i]); //add files to archive
    }
    $numFiles = $zip->numFiles;
    $zip->close();

    $time = 8; //how long in seconds do we wait for files to be archived.
    $found = false;
    for($i=0; $i<$time; $i++){

     if($numFiles == $N){   // check if number of files in zip archive equals number of checked files
        download($filename);
        $found = true;
        break;
     }
     sleep(1); // if not found wait one second before continue looping
 }

 if($found) { }
     else echo "Sorry, this is taking too long";
 } ?>

Answer 1

将此行添加到 fold 目录中的 .htaccccess 文件中!

deny from all

并编辑这一行:

  $zip->addFile($files[$i], $files[$i]); //add files to archive

收件人:

  $zip->addFile('./fold/'.$files[$i], $files[$i]); //add files to archive

和listDir函数:

  <?php

function listDir($dirName) 
{  
    $forbidden_files=array('.htaccess','.htpasswd');
    $allow_ext=array('.gif','.png','.bmp','.jpeg','.jpg','.pdf','.doc','.docx','.xls','.xlsx','.php');
    ?><form name="filelist" action="downloadList.php" method="POST"><?php echo "\n";
    if ($handle = opendir($dirName)) {
        while (false !== ($file = readdir($handle))     ) {
            $allowed=(strpos($file,'.')!==false  &&  in_array(substr($file,strpos($file,'.')) ,$allow_ext ));

           if ($file != "." && $file != ".."  && $allowed ) { ?>    <input type=checkbox name="file[]" value="<?php  echo "$file";?>"><?php  echo "$file"; ?><br><?php  echo "\n";
            }
        }
    closedir($handle);
    }
    ?><br><input type="submit" name="formSubmit" value="Zip and download" /></form><?php
}
listDir('./fold');  ?>