PHP readfile - 强制下载
我正在使用 flash 播放器播放一些 mp3 文件。在 Firefox 中它可以正常加载它们,但在 IE 中却不会。当我转到 .mp3 文件的 url 时,它显示 mp3 的源代码(而不是提供例如下载)。所以我用了一个小脚本来修复它:
$url = $_GET['url'];
header('Content-type: application/force-download');
header('Content-Transfer-Encoding: Binary');
header("Content-disposition: attachment; filename=demo.mp3");
readfile($url);
我想问你上面的是否安全。而且,这样服务器会损失带宽吗?最后,它会影响服务器的资源吗? 谢谢。
I am using a flash player to play some mp3 files. At firefox it loads them normally but at IE it doesn't. When i go to the url of the .mp3 file it shows the source code of the mp3 (instead of offering eg to download). So i used a small script to fix it:
$url = $_GET['url'];
header('Content-type: application/force-download');
header('Content-Transfer-Encoding: Binary');
header("Content-disposition: attachment; filename=demo.mp3");
readfile($url);
I would like to ask you if the above is safe. Moreover, does the server losses bandwidth by this way? And finally, does it influence the server's resources?
Thanks.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
不,那不安全。如果您的数据库密码位于
database.php中,并且我输入database.php作为$_GET['url'],您的脚本将发送给我那个 PHP 文件,里面有你的密码。是的,这会耗尽带宽和一些服务器资源。
No, that's not safe. If you had your database password in
database.phpand I entereddatabase.phpas$_GET['url'], your script would send me that PHP file with your password in it.Yes, this would use up bandwidth and some server resources.
这不安全,而且您没有必要这样做。
除了 @ceejayoz 概述的安全隐患之外,如果启用
allow_url_fopenPHP 设置,还可以将任何 URL 插入到$url中。这样,您的服务器很容易被滥用,从其他服务器传输大量数据,从而产生各种影响。仅当确实必要时才应使用这种提供文件的方法。它比通过 Web 服务器请求静态资源消耗更多的资源(因为必须启动昂贵的 PHP 进程)。
无论如何,在你的情况下应该没有必要。听起来您的网络服务器没有为您的 MP3 文件提供正确的
content-type标头。这就是你应该解决的问题。也许,如果您使用 Apache,将
.htaccess文件添加到 MP3 所在的目录并包含以下内容:已经解决了问题。如果没有,但
force-download有效,然后尝试It's not safe, and it shouldn't be necessary for you to do this way.
In addition to the security implications @ceejayoz outlines, if the
allow_url_fopenPHP setting is enabled, it is also possible to insert any URL into$url. That way, your server could be easily misused to stream large amounts of data from other servers, with all kinds of implications.This method of serving files should be used only when really necessary. It consumes more resources (because an expensive PHP process has to be started) than requesting a static resource through the web server.
It should not be necessary in your case anyway. It sounds like your web server is not serving the correct
content-typeheader along with your MP3 files. That is what you should fix.Maybe, if you're on Apache, adding a
.htaccessfile to the directory the MP3s are in with the following content:already fixes the problem. If it doesn't, but the
force-downloadthing works, then try您的实际问题是,当您提供 mp3 文件时,您没有将内容类型标头发送到客户端。确保在发送 mp3 文件的内容之前设置内容类型标头。
如果您直接从 Web 服务器提供它们,而不需要脚本,则只需在 Web 服务器的配置中配置内容类型即可。
对于 Apache,您可以在 .htaccess 文件中进行配置:
Your actual problem is that you are not sending the content-type header to the client when you serve the mp3 file. Ensure that you are setting the content-type header prior to sending the contents of the mp3 file.
If you're serving them directly from your web server, without a script, you simply need to configure the content-type in your web server's configuration.
For Apache, you can configure this in an .htaccess file:
是的,这里肯定存在安全风险,因为您没有验证/清理请求的文件路径。因此,请务必在将文件发送给用户之前进行检查!
尽管这将使用带宽和服务器资源,但这至少比定期下载文件要多。唯一的额外开销是处理/运行 PHP。您可能不会注意到差异。
Yeah there is definitely a security risk here since you aren't validating/sanitizing the requested file path. So make sure you check that before sending files down to the user!
Although this will use bandwidth and server resources, it would be minimally more than downloading files regularly. The only extra overhead is processing/running the PHP. You probably won't notice a difference.