代码之家 › 专栏 › 技术社区 › John

限制对资产的认可.pdf.jpg

pdf

John · 技术社区 · 16 年前

我想让用户能够上传.pdf和图像,并限制访问这些文件的用户权限的基础上。

 #Removes access to the secure_files folder by users.
 RewriteCond %{REQUEST_URI} ^secure_files.*
 RewriteRule ^(.*)$ /index.php?/$1 [L]


    ------
    -SQL
    ------

    ------
    - create files table
    -----
    CREATE TABLE `files` (
    id INT NOT NULL AUTO_INCREMENT,
    file_name VARCHAR(50) NOT NULL,
    PRIMARY KEY('id')
    );

    ------
    - create files table
    -----
    CREATE TABLE `privileges` (
    uesr_id INT NOT NULL,
    file_id INT NOT NULL,
    );

    ------
    - create users table
    -----
    CREATE TABLE `users` (
    id INT NOT NULL AUTO_INCREMENT,
    name VARCHAR(20) NOT NULL,
    email VARCHAR(50) NOT NULL,
    password CHAR(40) NOT NULL,
    PRIMARY KEY('id')
    );

    /*
    * pseudo-Codeigniter code. I can edit this to make 
    * it pure PHP if that would be more helpful 
    *
    */
    public function get_user_files($filename)
    {
       //this is set during login
       $user_id = $this->session->userdata('user_id');

      //check to see if the user has privileges to access the file and gets the file name
      $query = $this->db->join('privileges','privileges.id = files.id')
                     ->select('files.file_name')
                     ->where('privileges.user_id',$user_id)
                     ->where('files.file_name',$file_name)
                     ->limit(1)
                     ->get('files');

    $file = $query->row()->files.file_name;

   if($file)
   {
    //user has privileges to access the file so include it

    //WHAT DO I DO HERE!?!
    //start Would this work?
    $handle = fopen($file, "rb");
    $data['file'] = fread($handle, filesize($file));
    fclose($handle);
    //end would this work?
   }
  $this->load->view('files',$data);
}

2 回复 | 直到 6 年前

rook 16 年前

一个简单而安全的解决方案是使用以下模式。这将允许您限制对上载文件的访问,并避免上载.php文件的问题。文件大小由大小为16mb的longblob的大小限制。

CREATE TABLE `files` (
id INT NOT NULL AUTO_INCREMENT,
user_id INT NOT NULL,
file_name text NOT NULL,
file LONGBLOB NOT NULL,
PRIMARY KEY('id')
);

以下是上载文件的php代码:

$user_file=file_get_contents($_FILES['user_file']['tmp_name']);
//Make the file binary safe
$user_file=mysql_real_escape_string($user_file);
$file_name=mysql_real_escape_string($_FILES['user_file']['name']);
$user_file=mysql_real_escape_string($user_file);

mysql_query("insert into files (user_id,file_name,file)values ("$_SESSION[user_id]","$file_name","$user_file");

访问控制可以通过检查文件的用户id来实现。这个 content-type $_FILE[name][type] 但是,在允许用户下载文件时,此类型必须正确。例如,pdf应该具有此内容类型。 header('Content-type: application/pdf');

nettux 12 年前

为什么不把它们放在一个有 .htaccess 阻塞所有访问并使用php脚本发送相应的头文件,检查权限,然后用 readfile 功能?