如何使用 PHP 下载然后删除网站上的文件?
我用 PHP 生成了一个 *.csv 文件,效果很好。问题是,它包含一堆敏感数据。我已经非常仔细地完成了我的权限操作,因此如果不是正确的用户,您将无法访问下载链接或生成文件。 我遇到的问题是,用户下载文件后,需要立即删除该文件。我意识到,有人坐在那里扫描我的网站结构的可能性很小,但数据对于我想要遮盖我的屁股来说足够重要:-)
我一开始就有这个:
<a href="<?php echo base_path().$ourFileName ?>"><?=$ourFileName?></a>
这对于下载文件来说效果很好,但我很难用它执行任何类型的操作,因为如果您将 PHP 代码嵌套在 OnClick="" 中,它将在单击发生之前执行,因为所有 PHP 代码都在 HTML 之前在服务器端呈现,并且JAVASCRIPT 已处理...对吧?我搜索了互联网,似乎我无法让 javascript 拥有删除文件的权限......不可否认,我可能是非常错误的。
所以我把我的链接变成了一种形式:
<?PHP
if(isset($_POST['submit']))
{
header("Location: ".base_path().$ourFileName);
unlink(base_path().$ourFileName);
}?>
<form action="<? $PHP_SELF ?>" method="post">
<input type="submit" value="Submit" name="submit">
</form>
但显然,由于标头, unlink() 将永远无法访问......至少我认为...... 除了 header() 之外还有其他方法将文件下载给他们吗? 我意识到我可以每分钟运行一次 cron 作业,然后:
rm -rf *.csv
这样就可以解决问题,但是如果用户正在下载文件并且 cron 开始运行,会发生什么?或者页面已生成,但由于某种原因他们有一段时间没有点击链接?
也许有某种方法可以配置我的 .htaccess 文件,以便您只能在从页面链接时访问该文件?
我是不是把这件事复杂化了?
有互联网的创意大师吗?
- 编辑 根据流行的建议,我正在研究新的标头格式,因此代码如下所示:
<?PHP if(isset($_POST['submit']) && ($user->uid))
{
myroom_render_csv($ourFileName, $csv_string);
}?>
<form action="<? $PHP_SELF ?>" method="post">
<input type="submit" value="Submit" name="submit">
</form>
在一个单独的文件中:
<?PHP function myroom_render_csv($file_name, $csv_string) {
header('Content-type: text/csv');
$header_string2="Content-Disposition: attachment; filename=\"".$file_name."\"";
header($header_string2);
echo $csv_string;
} ?>
但我得到了完整 HTML 页面和 CSV 数据的转储。有想法吗?
I generate a *.csv file with PHP and it works great. The problem is, it contains a bunch of sensitive data. I've done my permissions very carefully, so you can't get to the download link or generate the file without being the correct user.
The issue that I run into, is that right after the user downloads the file, the file needs to be deleted right away. The chance is small, I realize, that someone would be sitting there scanning my site structure, but the data is important enough to where I want to cover my ass :-)
I had this at first:
<a href="<?php echo base_path().$ourFileName ?>"><?=$ourFileName?></a>
Which works great to just download the file, but I was having a hard time doing any kind of actions with it, because if you nest PHP code inside an OnClick="" it will be executed before the click happens, because all PHP code is rendered server-side before the HTML and JAVASCRIPT is processed...right? I searched the internet, and it didn't seem like I could get javascript to have the perms to delete the file...admittedly, I could be very wrong.
So I turned my link into a form:
<?PHP
if(isset($_POST['submit']))
{
header("Location: ".base_path().$ourFileName);
unlink(base_path().$ourFileName);
}?>
<form action="<? $PHP_SELF ?>" method="post">
<input type="submit" value="Submit" name="submit">
</form>
But obviously, the unlink() will never be reachable because of the header...at least I think...
Is there another way besides header() to download the file to them?
I realize I could just run a cron job every minute or something and just:
rm -rf *.csv
And that would take care of the issue, but what happens if a user is in the process of downloading the file and cron starts to run? Or the page is generated, but they don't click on the link for a while for some reason?
Maybe there's some way to configure my .htaccess file so you can only access the file if linking from a page?
Am I over complicating this?
Any ideas gurus of the interweb?
--edit
Per popular suggestion, I'm working on the new header format so the code looks like this:
<?PHP if(isset($_POST['submit']) && ($user->uid))
{
myroom_render_csv($ourFileName, $csv_string);
}?>
<form action="<? $PHP_SELF ?>" method="post">
<input type="submit" value="Submit" name="submit">
</form>
and in a separate file:
<?PHP function myroom_render_csv($file_name, $csv_string) {
header('Content-type: text/csv');
$header_string2="Content-Disposition: attachment; filename=\"".$file_name."\"";
header($header_string2);
echo $csv_string;
} ?>
but I get a dump of the full HTML page AND the CSV data. Ideas?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
这是一个更简单的解决方案 - 不创建文件。无需将数据写入 .csv 文件,只需在 php 脚本中设置标头,如下所示:
在 php 脚本中打印出 csv 数据,浏览器会将其视为文件下载。这样,您就可以自由控制谁以及何时可以访问该文件。
Here's a simpler solution - don't create a file. Instead of writing your data to a .csv file, just set the headers in a php script like so:
Print out your csv data in the php script, and the browser will treat it like a file download. This way, you're free to control to who and when the file is accessible.
一些评论。
你是完全正确的。
那为什么它是一个文件?只需将其与相关标头一起发送到浏览器,以提示浏览器将其作为可保存的文件资源呈现给用户。为此,它不必是网络服务器上的物理文件。
其他人已经为此提供了代码;我真的只是想指出您对客户端/服务器端角度的看法是正确的。 :)
实际上,不能。
header不会停止脚本。您的
unlink早在浏览器开始base_path().$ourFileName请求之前就已执行并完成。不过,通常情况下,您应该在
header之后编写exit来停止代码处理:现在,正如您所说,是的,
unlink永远不会发生。A few comments.
You're absolutely correct.
Then why is it a file? Just send it to the browser with the relevant headers to hint the browser to present it to the user as a saveable file resource. It doesn't have to be a physical file on the webserver for this.
Others have provided the code for this; I really just wanted to point out that you were correct about the client-side/server-side angle. :)
Actually, no.
headerdoes not stop the script.Your
unlinkwill have executed and finished long before the browser has gotten around to even starting the request forbase_path().$ourFileName.Usually, though, you should write
exitto stop code processing afterheader:And now, as you say, yes, the
unlinknever occurs.