public_html上面存储和读取图片
我正在尝试保护我的 PHP 图像上传脚本,我必须跨越的最后一个障碍是使用户无法直接执行图像,但服务器仍然可以在网页中提供它们。我尝试更改文件夹的所有权和权限但无济于事,因此我尝试存储 public_html 上面的图像并将它们显示在存储在 public_html 中的页面中。
我的文件结构:
- userimages
image.jpg
image2.jpg
- public_html
filetoserveimage.html
我尝试链接到 userimages 文件夹中的图像,如下所示:
<img src="../userimages/image.jpg">
但它不起作用。我在这里缺少什么吗?如果您有更好的建议请告诉我。我试图阻止公共用户执行他们可能上传的潜在危险文件。只是作为额外的安全措施。谢谢!
I am trying to secure my PHP Image upload script and the last hurdle I have to jump is making it so that users cannot directly excecute the images, but the server can still serve them in web pages. I tried changing ownership and permissions of the folders to no avail, so I am trying to store the images above public_html and display them in pages that are stored in public_html.
My File Structure:
- userimages
image.jpg
image2.jpg
- public_html
filetoserveimage.html
I tried linking to an image in the userimages folder like this:
<img src="../userimages/image.jpg">
But it does not work. Is there something I am missing here? If you have any better suggestions please let me know. I am trying to keep public users from executing potentially dangerous files they may have uploaded. Just as an extra security measure. Thanks!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(6)
你想要的东西基本上是不可能的。
浏览器加载页面的方式(非常基本的意义上)是这样的:
步骤 1:下载页面。
步骤2:解析页面。
步骤 3:下载页面内容中引用的任何内容(图像、样式表、javascript 等)
每个“下载”事件都是原子的。
看起来您只想向刚刚下载了引用这些图像的页面的人提供图像。
正如 PHP Jedi 所示,您可以通过 PHP 传递文件。您可以扩展他的代码,并检查请求上的 HTTP_REFERER 以确保人们不会“仅”抓取图像。
现在,通过 PHP passthru 脚本提供每个图像的效率不高,但它可以工作。
人们想要这样做的最常见原因是避免“热链接”——当人们在其他站点上创建引用您服务器上图像的图像标签时。当他们这样做时,您会花费资源来处理其他人页面上出现的请求。
如果这就是您真正想避免的,您可以使用 mod_rewrite 来检查引用者。
可以在此处找到有关热链接/反热链接的不错的讨论
You want something that's basically impossible.
The way a browser loads a page (in a very basic sense) is this:
Step 1: Download the page.
Step 2: Parse the page.
Step 3: Download anything referenced in the content of the page (images, stylesheets, javascripts, etc)
Each "Download" event is atomic.
It seems like you want to only serve images to people who have just downloaded a page that references those images.
As PHP Jedi illustrated, you can pass the files through PHP. You could expand on his code, and check the HTTP_REFERER on the request to ensure that people aren't grabbing "just" the image.
Now, serving every image through a PHP passthru script is not efficient, but it could work.
The most common reason people want to do this is to avoid "hotlinking" -- when people create image tags on other sites that reference the image on your server. When they do that, you expend resources handling requests that get presented on someone else's page.
If that's what you're really trying to avoid, you can use mod_rewrite to check the referer.
A decent-looking discussion of hotlinking/anti-hotlinking can be found here
使用图像中继脚本!
要提供 public_html 文件夹之外的图像文件,您必须通过 php 脚本来完成。例如,制作一个 image-relay.php 来读取公共 html 之外的图像...
现在,$_file 可以是 $_GET 参数,但它对于验证输入参数绝对重要...
现在您可以制作一个 < code>
访问位于 /myimage/flower.jpg 的flower.jpg 图像 ...
Use an image relay script!
To serve a imagefile that is outside the public_html folder you would have to do it by a php script. E.g make a image-relay.php that reads the image that is outside the public html...
Now, $_file could be a $_GET parameter, but its absolutley important to validate the input parameter...
now you can make an
<img src="image-relay.php?img=flower.jpg">to access a flower.jpg image that is located in /myimage/flower.jpg ...那么,网络浏览器只能访问 public_html 中的文件和文件夹。
Well, a web browser will only be able to access files and folders inside public_html.
如果
public_html目录是用户服务器的根目录,则 Apache 无法提供不在该目录内部/之下的任何内容。如果您希望 Apache 直接提供文件,则必须将其放在
public_html中/下面。If the
public_htmldirectory is the root of the server for your users, Apache cannot serve anything that is not inside/below that dorectory.If you want a file to be served by Apache directly, you'll have to put it in/below
public_html.我认为您的误解在于,如果您在
![]()
srcurl。因此,要么两者都起作用,要么两者都不起作用。
有一些黑客攻击,涉及一个(php 或其他)脚本来确保请求图像的 IP 在最后几秒钟内也请求了 html 页面(如果用户位于轮换传出的代理后面,则这将不起作用) IP)或通过检查引用站点(这不适用于 HTTP,并且如果用户禁用了引用站点也不起作用)。
如果您想确保只有某些用户可以看到图像(通过
![]()
I think your misunderstanding is in the fact that if you include an image in an
<img>tag, your browser will send the exact same request to the webserver to fetch it, that will be sent to the webserver if you try to open thesrcurl of the image in your browser directly.Therefore, either both things work, or neither.
There are hacks around, involving a (php or other) script to make sure that an IP that has requested the image has also requested the html page within the last few seconds (which will not work if the user is behind a proxy that rotates outgoing IPs) or by checking the referer (which does not work with HTTPs and also not if the user has referer disabled).
If you want to make sure that only some users can see the image (both via
<img>tag and directly), you can put the image outside public_html and have a (php or other) script that verifies the user's credentials before serving the image.如果您使用 Apache 或 lighttpd,您可以使用 X-Sendfile 标头发送不在 Web 根目录中的文件(前提是您没有更改 mod_xsendfile 的配置)。
要了解有关 X-sendfile 的更多信息,请参阅此
此解决方案为您提供最佳性能,因为 PHP 不发送文件,但服务器发送文件,因此可以在提供文件时退出 PHP。
希望有帮助。
If you are using Apache or lighttpd you can use the X-Sendfile header to send files that are not in the web root(provided you haven't changed the configuration of mod_xsendfile).
To learn more about X-sendfile see this site.
This solution is giving you the best possible performance as PHP doesn't send the file but the server does and therefore PHP can be exited while the files are being served.
Hope that helps.