php隐藏下载链接

发布于 2024-10-30 17:32:10 字数 648 浏览 4 评论 0原文

我正在寻找一个简单的 PHP 微型网站,允许下载我的乐队曲目之一,以换取电子邮件地址。我知道我可以使用 Bandcamp,但我想自己做;)

我发现了一个我喜欢的乐队的微型网站,它完全符合我的要求,所以我尝试将其分解。该网站是 http://thirdtrappedtigers.heroku.com。该网站基本上让您输入您的电子邮件地址,然后必须将其放入数据库中(除非它在数据库中找到该电子邮件地址的匹配项)。

然后,您可以查看下载按钮并下载文件,而无需透露文件的源 URL。该按钮的 href"download/" 让我假设下载目录中有一个 index.php,它必须需要某种会话 ID(大概是提交电子邮件时设置)以阻止人们直接链接到该电子邮件。然而,该文件还做了一些我不知道的工作,以掩盖链接。

我不明白的另一个方面是,在输入电子邮件的页面上有一个隐藏的输入,在提交电子邮件地址时会提交一个随机的authenticity_token。我也不太明白为什么这是必要的。

对于这个非常具体的问题,我深表歉意,但我整个早上都在努力解决这个问题,但还是不太明白。

谢谢,

里奇

I'm looking to make a simple PHP microsite that allows the download of one of my bands tracks in exchange for an email address. I know I could use Bandcamp but I want to do it myself ;)

I found a microsite from a band I like that does exactly what I want so I tried to pick it to pieces. The site is http://threetrappedtigers.heroku.com. This site basically gets you to enter your email address which it then must put in a database (unless it finds a match for that email address in the DB).

You can then view the download button and downloads the file without revealing the source url of the file. The href for that button is "download/" leading me to assume that there is an index.php in the download directory, which must require some sort of session id (presumably set up when submitting your email) to stop people linking directly to it. However the file also does some work that I don't know about in order to obscure the link.

The other aspect I don't understand is that on the page where the email is inputted there is a hidden input that submits a random authenticity_token when submitting the email address. I can't quite work out why that is necessary either.

Apologies for this horribly specific question but I've been trying to work it out all morning and can't quite get my head around.

Thanks,

Rich

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

只为守护你 2024-11-06 17:32:11

您可以做的是:

  1. 用户输入电子邮件地址
  2. 通过发送包含令牌的链接的电子邮件进行验证(或不验证,取决于您的意愿)。即: http://myawesomband.com/downloadtrack.php?token=asd#%$dhj123
  3. downloadtrack.php 验证令牌并使用 file_get_contents() 加载示例曲目并将其作为下载提供(请参阅 php.net 站点上的特定标头)

优点是用户不需要不知道文件所在的位置(最好将示例轨道放在 webroot 之外。

[编辑]
对于隐藏的输入字段令牌:这可能会用于迷惑机器人和其他仅大量发布“电子邮件”字段的脚本。如果令牌未发送且与 $_SESSION['token'] 值不匹配,则不会处理请求。这是有效的,因为进行此类攻击的脚本通常不接受 cookie,因此它们的 $_SESSION 数组永远不会重新加载。

What you can do is this:

  1. User enters an email address
  2. Verify (or not, depends on your wishes) by sending an email with a link that contains a token. i.e.: http://myawesomband.com/downloadtrack.php?token=asd#%$dhj123
  3. downloadtrack.php validates the token and loads the sample track with file_get_contents() and offers it as a download (see specific headers on the php.net site)

The advantage is that the user doesn't know where the file is located (it is best if you place the sample track outside of the webroot.

[EDIT]
For your hidden input field token: This might be used to confuse bots and other scripts that will only post the 'email' field in large quantities. If the token isn't sent and doesn't match the $_SESSION['token'] value the request isn't handled. This works because scripts that do these kinds of attack generally don't accept cookies so their $_SESSION array is never reloaded.

演多会厌 2024-11-06 17:32:11

你可以看看这个,因为它做了你想要的,要么使用蛋糕,要么采取一些想法

http://book.cakephp.org/view/1094/Media-Views

https://github.com/cakephp/cakephp/blob/master/cake/libs/view/media.php

你可以在 render() 函数中看到它主要是关于设置正确的标题

you can have a look at this as it does what you want, either use cake or take some ideas

http://book.cakephp.org/view/1094/Media-Views

https://github.com/cakephp/cakephp/blob/master/cake/libs/view/media.php

you can see in the render() function its mostly about setting the correct header

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文