I need to provide an unshared upload using php on apache on linux.
我需要在linux上的apache上使用php提供非共享上传。
I can handle file uploads just fine, and move them to the desired folder. What I wanted to ask was how can I make it so that even if someone knew that folder and the filename, they could never download the file through a browser.
我可以正常处理文件上传,并将它们移动到所需的文件夹。我想问的是我怎么能这样做,即使有人知道该文件夹和文件名,他们也永远无法通过浏览器下载文件。
In other words, I need apache to be able to move the file to the folder, but to be unable to serve files from that folder.
换句话说,我需要apache才能将文件移动到该文件夹,但无法提供该文件夹中的文件。
Can php write to files outside the docroot? Is there something I can do with htaccess? Or even just linux directory permissions?
php可以写到docroot之外的文件吗?我能用htaccess做些什么吗?甚至只是linux目录权限?
I was about to create a blank index.html and give the files a name containing a long random string (to make them unguessable) but decided there must be a better way.
我正要创建一个空白的index.html,并为文件提供一个包含长随机字符串的名称(以使它们不可思议),但决定必须有更好的方法。
Thanks all.
2 个解决方案
#1
2
Upload your files outside the Apache DocumentRoot.
将文件上传到Apache DocumentRoot之外。
I.E.
DocumentRoot /var/www/public/
(where your php files are)
(你的php文件在哪里)
And upload in /var/www/uploads/
并上传到/ var / www / uploads /
#2
1
Yours is hardly a new problem -- numerous people (yours truly included) have at some point found their "upload" directories used by various file-traders... Fortunately, the solution is simple...
你的问题几乎不是一个新问题 - 很多人(你真正包括在内)在某些时候发现他们的“上传”目录被各种文件交易者使用......幸运的是,解决方案很简单......
You can make Unix (and, I'm sure, Windows too) files and directories writable for a user or a group, but not readable. It is sometimes called "negative permissions", and some misguided individuals (and the scripts they create) frown at such settings, but there is nothing wrong with them.
您可以为用户或组制作Unix(并且我确定,Windows也是)可写的文件和目录,但不可读。它有时被称为“负面权限”,并且一些被误导的个体(以及他们创建的脚本)在这样的设置下皱眉,但它们没有任何问题。
For example, here is an actual file from my server. I ("mi") own it, and the group "www" (which httpd is running under) can write to it. But it can not read from it. All other legitimate users on the system can read it (which you may or may not want for your setup):
例如,这是我服务器的实际文件。我(“mi”)拥有它,组“www”(httpd正在运行)可以写入它。但它无法从中读取。系统上的所有其他合法用户都可以阅读它(您可能需要或可能不需要进行设置):
-rw--w-r-- 1 mi www .... /home/mi/public_html/.../download.log
The octal mode (for use with chmod) for the above settings is 0624. You can alter it to suit your needs. For example, if no other user on the system should be able to access the file at all, you'd use 0620...
上述设置的八进制模式(与chmod一起使用)是0624.您可以根据需要对其进行更改。例如,如果系统上没有其他用户根本无法访问该文件,则使用0620 ...
You can also play with Apache's permission-settings to prevent serving from the directory, but that's far less straightforward than Unix file-system permissions. It will also mean additional work should you ever switch from Apache to a different web-server, or move from running PHP inside Apache to an application server, or whatever...
您还可以使用Apache的权限设置来阻止从目录中提供服务,但这远不如Unix文件系统权限那么简单。如果您从Apache切换到不同的Web服务器,或者从在Apache内部运行PHP到应用程序服务器,或者其他什么......这也意味着额外的工作......
#1
2
Upload your files outside the Apache DocumentRoot.
将文件上传到Apache DocumentRoot之外。
I.E.
DocumentRoot /var/www/public/
(where your php files are)
(你的php文件在哪里)
And upload in /var/www/uploads/
并上传到/ var / www / uploads /
#2
1
Yours is hardly a new problem -- numerous people (yours truly included) have at some point found their "upload" directories used by various file-traders... Fortunately, the solution is simple...
你的问题几乎不是一个新问题 - 很多人(你真正包括在内)在某些时候发现他们的“上传”目录被各种文件交易者使用......幸运的是,解决方案很简单......
You can make Unix (and, I'm sure, Windows too) files and directories writable for a user or a group, but not readable. It is sometimes called "negative permissions", and some misguided individuals (and the scripts they create) frown at such settings, but there is nothing wrong with them.
您可以为用户或组制作Unix(并且我确定,Windows也是)可写的文件和目录,但不可读。它有时被称为“负面权限”,并且一些被误导的个体(以及他们创建的脚本)在这样的设置下皱眉,但它们没有任何问题。
For example, here is an actual file from my server. I ("mi") own it, and the group "www" (which httpd is running under) can write to it. But it can not read from it. All other legitimate users on the system can read it (which you may or may not want for your setup):
例如,这是我服务器的实际文件。我(“mi”)拥有它,组“www”(httpd正在运行)可以写入它。但它无法从中读取。系统上的所有其他合法用户都可以阅读它(您可能需要或可能不需要进行设置):
-rw--w-r-- 1 mi www .... /home/mi/public_html/.../download.log
The octal mode (for use with chmod) for the above settings is 0624. You can alter it to suit your needs. For example, if no other user on the system should be able to access the file at all, you'd use 0620...
上述设置的八进制模式(与chmod一起使用)是0624.您可以根据需要对其进行更改。例如,如果系统上没有其他用户根本无法访问该文件,则使用0620 ...
You can also play with Apache's permission-settings to prevent serving from the directory, but that's far less straightforward than Unix file-system permissions. It will also mean additional work should you ever switch from Apache to a different web-server, or move from running PHP inside Apache to an application server, or whatever...
您还可以使用Apache的权限设置来阻止从目录中提供服务,但这远不如Unix文件系统权限那么简单。如果您从Apache切换到不同的Web服务器,或者从在Apache内部运行PHP到应用程序服务器,或者其他什么......这也意味着额外的工作......