好了,希望情况是下一个:
Ok, desired (probably impossible?) scenario is next:
1)任何人都可以上传图像(S)到文件夹
1) anyone can upload image(s) to folder
2)只有管理员通过Web管理界面/常规,密码保护管理面板可以看到它
2) only admin, via web admin interface/regular, password protected admin panel can see it
我想这是不可能的,除非我的图像存储到数据库直接(如BLOB类型),以及管理面板里显示它们(这会降低性能,我猜)。
I guess it is impossible, unless i store images to database directly (as BLOB type), and show them inside admin panel (which will decrease performance, i guess).
那么,有什么我可以做, a)除了把空白的索引文件中上传文件夹(已完成) ,但我想有办法来猜/获取文件名的
So, what i could do, a) except to place blank index file in upload folder (already done) but i guess there are ways to guess/get names of files
b)和可能,增加一些的.htaccess保护(这将是你的建议?)
b) and maybe, add some .htaccess protection (what would be your advice?)
再次上传是形式的一部分(也无需注册!),我需要一些方法,只允许管理员看到/下载图片,而是为了保护它从别人的,因为敏感的数据是有问题。
Again, uploading is a part of form (there is no registration required!), i need some way to allow only admin to see/download images, but to protect it from others, because sensitive data are in question.
推荐答案
在这里你去:
1)不要储存在你的数据库文件。曾经。
1) Do not store files in your DB. Ever.
2)保护的上传的目录(其中仅载有.htaccess文件将居住) - 拒绝所有(基本) - 或存储上载目录中的某个地方不公开到网上(见#3,下同)
2) Protect the upload directory (where ONLY uploaded files will live) with an .htaccess - "deny all" (basically) -- or store the upload directory somewhere NOT public to the web (see #3, below)
3)有供应文件下载的临时文件(在用户登录如果是这样,设置标题和 ReadFile的(?)实际文件 - 这将迫使文件下载的数据库应存储的文件名,路径,以及其他有关的信息)
3) Have an interim file that serves file downloads (is user logged in? If so, set headers and readfile() the actual file - this will force the file to download. The database should store the file name, path, and other relevant details)
这个PHP上传脚本可以将文件保存在任何目录,即使一个与在它的.htaccess。
The PHP upload script can save files in any directory, even the one with the .htaccess in it.
相关推荐
最新文章