Directory that apache can write to from PHP but will not serve files from_问答_开发者

Directory that apache can write to from PHP but will not serve files from

开发者 https://www.devze.com 2023-04-11 17:46 出处：网络

I need to provide an unshared upload using php on apache on linux. I can handle file uploads just fine, and move them to the desired folder. What 开发者_Python百科I wanted to ask was how can I make i

I need to provide an unshared upload using php on apache on linux.

I can handle file uploads just fine, and move them to the desired folder. What 开发者_Python百科I wanted to ask was how can I make it so that even if someone knew that folder and the filename, they could never download the file through a browser.

In other words, I need apache to be able to move the file to the folder, but to be unable to serve files from that folder.

Can php write to files outside the docroot? Is there something I can do with htaccess? Or even just linux directory permissions?

I was about to create a blank index.html and give the files a name containing a long random string (to make them unguessable) but decided there must be a better way.

Thanks all.

Upload your files outside the Apache DocumentRoot.

I.E.

DocumentRoot /var/www/public/

(where your php files are)

And upload in /var/www/uploads/

Yours is hardly a new problem -- numerous people (yours truly included) have at some point found their "upload" directories used by various file-traders... Fortunately, the solution is simple...

You can make Unix (and, I'm sure, Windows too) files and directories writable for a user or a group, but not readable. It is sometimes called "negative permissions", and some misguided individuals (and the scripts they create) frown at such settings, but there is nothing wrong with them.

For example, here is an actual file from my server. I ("mi") own it, and the group "www" (which httpd is running under) can write to it. But it can not read from it. All other legitimate users on the system can read it (which you may or may not want for your setup):

-rw--w-r--  1 mi    www    ....  /home/mi/public_html/.../download.log

The octal mode (for use with chmod) for the above settings is 0624. You can alter it to suit your needs. For example, if no other user on the system should be able to access the file at all, you'd use 0620...

You can also play with Apache's permission-settings to prevent serving from the directory, but that's far less straightforward than Unix file-system permissions. It will also mean additional work should you ever switch from Apache to a different web-server, or move from running PHP inside Apache to an application server, or whatever...