使用 PHP/Apache 根据数据库值控制对文件的访问

发布于 2024-11-07 14:04:22 字数 765 浏览 2 评论 0原文

我想要

创建一个系统,当用户上传图像时,它会转到文件夹images,其中有图像的两个副本,一个拇指和一个更大的副本。

现在,当用户上传图像时,它会在 MySQL 数据库中插入一行的同时完成,其中图像获取一个 id,并且该行保存一个值,该值确定图像是否可供公众使用(1 表示仅拇指)可用,两者均为 2)以及图像的所有者(管理员)。

我不想做的是,如果用户尝试通过图像的 URL 来访问图像,并且数据库中的值表明它不应该公开,并且该用户的会话不是该图像的所有者图像(管理员未登录)应该显示图像未找到或访问被拒绝。

我的想象

如果可以用 php 来完成,我想象这样的事情:

//User tries to go to URL "images/IMAGE-ID_thumb.jpg"
if($img['access'] >= 1 || $_SESSION['admin_ID'] == $img['owner_ID']) {
  //Show image thumb
}
else {
  //Access denied
}

我可以将图像隐藏在 .htaccess 受保护的文件夹中,制作一个接受 URL 变量的 imgae_get.php,查看图像是否可用,然后加载图像如果是这样。我只是想避免必须反编译/重新编译图像和其他服务器耗电进程。

我的问题是,我可以这样控制图像吗?有没有办法让 php 脚本显示为内部加载的图像? 或者除了 PHP 之外还有其他/更好的方法吗? (也许是 Apache?)非常感谢任何建议。

What i want

I'm making a system where, when a user uploads an image it goes to the folder images, where there is two copies of the image, a thumb and a bigger one.

Now, when a user uploads an image it's done alongside insertion of a row in a MySQL database, where the image gets an id, and the row holds a value that determines if the images is available to the public or not (1 for only thumb available, 2 for both) along with the owner(admin) of the image.

What i wan't to do is, if a user tries to reach the image by going to the image's URL, and the value in the database says that it should not be publicly available, and the session of that user is not the owner of the image, (admin not logged in) it should either say image not found or access denied.

What i imagine

If it could be done with php i imagine something like this:

//User tries to go to URL "images/IMAGE-ID_thumb.jpg"
if($img['access'] >= 1 || $_SESSION['admin_ID'] == $img['owner_ID']) {
  //Show image thumb
}
else {
  //Access denied
}

I could maybe hide the images in a .htaccess protected folder, make a imgae_get.php that accepts URL variables, sees if the image is available, and loads the image if so. I just want to avoid having to de/re-compile the image and other server power consuming processes.

My question is, can i control the image like this? Is there a way to make a php script appear as an image it loads internally?
Or is there maybe some other/better way than through PHP? (Apache maybe?) Any suggestions is much appreciated.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(4

待天淡蓝洁白时 2024-11-14 14:04:22
//get_image.php

//Do session/mysql checks as outlined in your code above.

header("Content-Disposition: filename=$imagename.$filetype");
header("Content-type: $mimetype");
readfile(PROTECTED_IMAGE_FOLDER . "$imagename.$filetype");
//get_image.php

//Do session/mysql checks as outlined in your code above.

header("Content-Disposition: filename=$imagename.$filetype");
header("Content-type: $mimetype");
readfile(PROTECTED_IMAGE_FOLDER . "$imagename.$filetype");
尘曦 2024-11-14 14:04:22

您可以使用 DocumentRoot 中的“.htaccess”文件重定向对某些文件类型(或文件名,任何您可以正则表达式的内容)的所有请求:

RewriteEngine On

RewriteCond %{REQUEST_FILENAME} -s [OR]
RewriteCond %{REQUEST_FILENAME} -l [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^.*$ - [NC,L]
RewriteRule \.(gif|jpg|jpeg|png)$ imageHandler.php [NC,L]

您可以确定来自 $_SERVER 的原始请求code> superglobal,并使用适当的标头来提醒浏览器您正在返回图像。然后,您从磁盘读取图像(使用 file_get_contents() 或类似方法),并使用 echo 将其写入浏览器,就像输出 HTML 一样。

You can redirect all requests for certain filetypes (or filenames, anything you can regex) with an '.htaccess' file in your DocumentRoot:

RewriteEngine On

RewriteCond %{REQUEST_FILENAME} -s [OR]
RewriteCond %{REQUEST_FILENAME} -l [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^.*$ - [NC,L]
RewriteRule \.(gif|jpg|jpeg|png)$ imageHandler.php [NC,L]

You can determine the original request from the $_SERVER superglobal, and use the appropriate headers to alert the browser you're returning an image. Then you read the image from disk (with file_get_contents() or similar) and write it to the browser with echo, in the same way you'd output HTML.

平生欢 2024-11-14 14:04:22

.htaccess

#mod_rewrite
RewriteRule ^(.*)_(full|thumb).(jpg|png|gif)$ image.php?i=$1&type=$2&ext=$3

HTML

<img src="http://example.com/image-1_thumb.png" />
=
<img src="image.php?i=image-1&type=thumb&ext=png" />

PHP (image.php)

<?php 
// do basic sanity checks on input
$_GET['i'] = isset($_GET['i']) ? basename($_GET['i']) : null;
$_GET['type'] = isset($_GET['type']) ? basename($_GET['type']) : null;
//unsafe way
//$_GET['ext'] = isset($_GET['ext']) ?  basename($_GET['ext']) : null;
//safe way
$_GET['ext'] = in_array($_GET['ext'], array('png','gif', 'png')) ? $_GET['ext'] : null;

## Do DB Checks on session to owner ect 
/* $_GET
    [i] => image-1
    [type] => thumb
    [ext] => png
*/

// then output
if (file_exists('hiddenimagesfolder/images/'.$_GET['i'].'_'.$_GET['type'].'.'.$_GET['ext'])) {
    header("Content-Type:image/png");
    readfile('hiddenimagesfolder/images/'.$_GET['i'].'_'.$_GET['type'].'.'.$_GET['ext']);
} else {
    //not found
}
?>

.htaccess

#mod_rewrite
RewriteRule ^(.*)_(full|thumb).(jpg|png|gif)$ image.php?i=$1&type=$2&ext=$3

HTML

<img src="http://example.com/image-1_thumb.png" />
=
<img src="image.php?i=image-1&type=thumb&ext=png" />

PHP (image.php)

<?php 
// do basic sanity checks on input
$_GET['i'] = isset($_GET['i']) ? basename($_GET['i']) : null;
$_GET['type'] = isset($_GET['type']) ? basename($_GET['type']) : null;
//unsafe way
//$_GET['ext'] = isset($_GET['ext']) ?  basename($_GET['ext']) : null;
//safe way
$_GET['ext'] = in_array($_GET['ext'], array('png','gif', 'png')) ? $_GET['ext'] : null;

## Do DB Checks on session to owner ect 
/* $_GET
    [i] => image-1
    [type] => thumb
    [ext] => png
*/

// then output
if (file_exists('hiddenimagesfolder/images/'.$_GET['i'].'_'.$_GET['type'].'.'.$_GET['ext'])) {
    header("Content-Type:image/png");
    readfile('hiddenimagesfolder/images/'.$_GET['i'].'_'.$_GET['type'].'.'.$_GET['ext']);
} else {
    //not found
}
?>
掌心的温暖 2024-11-14 14:04:22

“mod_rewrite”所有尝试通过 PHP 文件的假路径名访问图像,并将图像文件名作为查询参数,然后在那里发挥你的魔力。将图像存储在公共文件夹之外应该可以防止任何不需要的公共访问。或者将实际图像存储在数据库本身中。

"mod_rewrite" all attempts to access image via a fake path name to PHP file with the image file name as a query param and then do your magic there. Storing the images outside of the public folder should prevent any unwanted public access. Alternatively store the actual image in the DB itself.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文