PHP: How can I block direct URL access to a file, but still allow it to be downloaded by logged in users?

后端 未结 3 1552
囚心锁ツ
囚心锁ツ 2020-11-28 19:22

I have a website where users should be able to log in and listen to a song (a self-created mp3). I want to make it so the logged in user can listen/download/whatever, and t

相关标签:
3条回答
  • 2020-11-28 19:41

    The only thing you can do for this via .htaccess is require a referer that comes from your site, and it is NOT secure. it is beyond trivial to forge a referer and anyone could suck your site dry.

    The ONLY way you'll be able to have only logged-in users download the file is by placing the file OUTSIDE of your webroot and having a PHP script mediate access. In short:

    if (is_logged_in()) {
       readfile($name_of_file);
    } else {
       die("Access denied");
    }
    
    0 讨论(0)
  • 2020-11-28 19:48

    Are you using a scripting language such as PHP to handle your website? if so then the best way is to create a script that handles "delivery" of the content. Save the content in a protected directory, ie above your http or www folder. Then when the user is logged in, the link to your content would look like this:

    http://yoursite.com/listen.php?song_id=xxx

    the script will locate the required song by the id and then present the data to the user

    0 讨论(0)
  • 2020-11-28 19:57

    Into folder members create new folder files, move here all your songs, create new .htaccess file and add the following lines:

    Order Deny,Allow
    Deny from all
    


    Into folder members create file get_song.php and add the following code:

    if( !empty( $_GET['name'] ) )
    {
      // check if user is logged    
      if( is_logged() )
      {
        $song_name = preg_replace( '#[^-\w]#', '', $_GET['name'] );
        $song_file = "{$_SERVER['DOCUMENT_ROOT']}/members/files/{$song_name}.mp3";
        if( file_exists( $song_file ) )
        {
          header( 'Cache-Control: public' );
          header( 'Content-Description: File Transfer' );
          header( "Content-Disposition: attachment; filename={$song_file}" );
          header( 'Content-Type: application/mp3' );
          header( 'Content-Transfer-Encoding: binary' );
          readfile( $song_file );
          exit;
        }
      }
    }
    die( "ERROR: invalid song or you don't have permissions to download it." );
    


    And now, you can use this URL to get the song file:
    http://mysite.com/members/get_song.php?name=my-song-name

    0 讨论(0)
提交回复
热议问题