3

我正在使用如下的 php 文件代码列出目录中的文件,用户将从该目录中检查所需文件并将它们下载为 zip 文件

我有 2 个问题

1)如何保护文件不使用url直接下载我希望文件只能通过downloadlist.php的表单操作下载(如果我在.htaccess中保留denyall,下载的文件已损坏)

2)这段代码还在下载列表中显示.htaccess(所以我怀疑他们是只列出Docs、xls、pdf的方法)

如果需要,我可以提供 downloadlist.php

<?php
function listDir($dirName) 
{  
    ?><form name="filelist" action="downloadList.php" method="POST"><?php echo "\n";
    if ($handle = opendir($dirName)) {
        while (false !== ($file = readdir($handle))) {
            if ($file != "." && $file != "..") { ?>    <input type=checkbox name="file[]" value="<?php  echo "$file";?>"><?php  echo "$file"; ?><br><?php  echo "\n";
            }
        }
    closedir($handle);
    }
    ?><br><input type="submit" name="formSubmit" value="Zip and download" /></form><?php
}
listDir('./fold');  ?>

下载列表.php

<?php
// function download($file) downloads file provided in $file
function download($file) {
    header('Content-Description: File Transfer');
    header('Content-Type: application/octet-stream');
    header('Content-Disposition: attachment; filename='.basename($file));
    header('Content-Transfer-Encoding: binary');
    header('Expires: 0');
    header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
    header('Pragma: public');
    header('Content-Length: ' . filesize($file));
    ob_clean();
    flush();
    readfile($file);
    exit;
}

$files = $_POST['file'];
if(empty($files)) 
{
    echo("You haven't selected any file to download.");
} 
else 
{
    $zip = new ZipArchive();
    $filename = time() . "archive.zip"; //adds timestamp to zip archive so every file has unique filename
    if ($zip->open($filename, ZIPARCHIVE::CREATE)!==TRUE) { // creates new zip archive
            exit("Cannot open <$filename>\n");
    }
    $N = count($files);
    for($i=0; $i < $N; $i++)
    {
      $zip->addFile($files[$i], $files[$i]); //add files to archive
    }
    $numFiles = $zip->numFiles;
    $zip->close();

    $time = 8; //how long in seconds do we wait for files to be archived.
    $found = false;
    for($i=0; $i<$time; $i++){

     if($numFiles == $N){   // check if number of files in zip archive equals number of checked files
        download($filename);
        $found = true;
        break;
     }
     sleep(1); // if not found wait one second before continue looping
 }

 if($found) { }
     else echo "Sorry, this is taking too long";
 } ?>
4

2 回答 2

1
  1. 将此添加到您的 htaccess 文件中:

    <FilesMatch "\.php$">
        allow from all
    </FilesMatch>
    deny from all
    
  2. 改变

    ($file != "." && $file != "..")
    

    ($file != "." && $file != ".." && $file != ".htaccess")
    

    或者,如果您只想列出具有特定扩展名的文件:

    ((substr($file, -strlen(".pdf")) === ".pdf" ||
     (substr($file, -strlen(".xls")) === ".xls" ||
     (substr($file, -strlen(".doc")) === ".doc")
    
于 2013-08-17T20:40:00.020 回答
1

.htacccess在目录中的文件中添加这一行fold

deny from all

并编辑这一行:

  $zip->addFile($files[$i], $files[$i]); //add files to archive

到:

  $zip->addFile('./fold/'.$files[$i], $files[$i]); //add files to archive

listDir功能:

  <?php

function listDir($dirName) 
{  
    $forbidden_files=array('.htaccess','.htpasswd');
    $allow_ext=array('.gif','.png','.bmp','.jpeg','.jpg','.pdf','.doc','.docx','.xls','.xlsx','.php');
    ?><form name="filelist" action="downloadList.php" method="POST"><?php echo "\n";
    if ($handle = opendir($dirName)) {
        while (false !== ($file = readdir($handle))     ) {
            $allowed=(strpos($file,'.')!==false  &&  in_array(substr($file,strpos($file,'.')) ,$allow_ext ));

           if ($file != "." && $file != ".."  && $allowed ) { ?>    <input type=checkbox name="file[]" value="<?php  echo "$file";?>"><?php  echo "$file"; ?><br><?php  echo "\n";
            }
        }
    closedir($handle);
    }
    ?><br><input type="submit" name="formSubmit" value="Zip and download" /></form><?php
}
listDir('./fold');  ?>
于 2013-08-17T21:40:12.767 回答