1

您好我正在尝试从“上传”文件中下载文件。我正在使用薄cobe,但结果是“对不起,该文件似乎不存在”

这是我的电话

<a href="download.php?filename=<?php $row4['Arxeio'] ?>">Click here
to Download the File</a>

并下载.php

<?php  session_start();

$filename = $_GET['filename'];

$download_path = './upload/';

if(eregi("\.\.", $filename)) die("I'm sorry, you may not download that file.");

$file = str_replace("..", "", $filename);
// Make sure we can't download .ht control files. if(eregi("\.ht.+", $filename)) die("I'm sorry, you may not download that file.");

// Combine the download path and the filename to create the full path to the file. $file = '$download_path$filename';

// Test to ensure that the file exists. 
if(!file_exists($file)) die("I'm sorry, the file doesn't seem to exist.");
// Extract the type of file which will be sent to the browser as a header
$type = filetype($file); // Get a date and timestamp $today = date("F j, Y, g:i a"); $time = time(); // Send file headers header("Content-type: $type"); header("Content-Disposition: attachment;filename=$filename");
header("Content-Transfer-Encoding: binary"); 
header('Pragma: no-cache'); 
header('Expires: 0'); // Send the file contents.
set_time_limit(0); 
readfile($file);
?>
4

1 回答 1

3

在您的 HTML 中,您需要echo将文件名写入输出:

<a href='download.php?filename=<?php echo $row4['Arxeio']; ?>'>Click here to Download the File</a>

在 PHP 中接收文件名时,您必须对其进行验证以防止目录遍历攻击。验证它是否包含 no/..。你有一个基本的测试eregi()(顺便说一句,它已被弃用),但它可以简单地用strpos().

if (strpos($filename, "..") >= 0 || strpos($filename, "/") >= 0) {
  // Error! don't permit file download
}

还要查看PHP 关于 NULL 字节攻击保护的文档

更好的是,将其与$filename下载的有效文件名白名单进行比较:

if (in_array($filename, array('file1.jpg', 'file2.txt', 'file3.mov',...)) {
  // Ok, send the file.
}
else {
  // Invalid file
}
于 2012-08-05T22:03:56.860 回答