Password protected directory and files in PHP

前端未结

关注

 3  996

盖世英雄少女心 2021-02-06 16:13

Im creating a simple private page with links to some files to download. I\'ve done it with simple session management but I have a problem: if somebody click on the file-url he c

3条回答

隐瞒了意图╮ (楼主)

2021-02-06 16:35

The top answer is definitely the way to protect other people from viewing the directory directly, but there's a better way to fix the PHP download vulnerability:

if (isset($_GET['filename']) && basename($_GET['filename']) == $_GET['filename']) {

    // the author's code
    $my_download_folder = "./downloads/";

    header("Content-type: application/force-download"); 

    filename=".basename($my_download_folder . $_GET["filename"]));

    readfile($my_download_folder . $_GET["filename"]);

} else {
    // shoot back an error if the file that user wants to download is not permitted
}

So just wrap around his PHP code with this if/else statement to prevent others from exploring your server.

0 讨论(0)

查看其它3个回答