如果我们知道一个静态文件的实际路径如:https://www.xx.com/download/51windows.pdf,如果服务器没有作特别的限制设置,我们就可以毫不费力的把它下载下来!当网站提供51windows.pdf下载时,怎么样才能让下载者无法得到他的实际路径呢!本文就来介绍如何使用asp来隐藏文件的实际下载路径。
我们在管理网站文件时,可以把扩展名一样的文件放在同一个目录下,起一个比较特别名字,例如放pdf文件目录为the_pdf_file_s,把下面代码另存为down.,他的网上路径为https://www.xx.com/down.asp,我们就可以用https://www.xx.com/down.asp?filename=51windows.pdf来下载这个文件了,而且下载者无法看到这个文件实际下载路径的!在down.asp中我们还可以设置下载文件是否需要登陆,判断下载的来源页是否为外部网站,从而可以做到防止文件被盗链。
示例代码:
<%
from_url = cstr(request.servervariables("http_referer"))
serv_url = cstr(request.servervariables("server_name"))
if mid(from_url,8,len(serv_url)) <> serv_url then
response.write "非法链接!" 防止盗链
response.end
end if
if request.cookies("logined")="" then
response.redirect "/login.asp" 需要登陆!
end if
function getfilename(longname)/folder1/folder2/file.asp=>file.asp
while instr(longname,"/")
longname = right(longname,len(longname)-1)
wend
getfilename = longname
end function
dim stream
dim contents
dim filename
dim truefilename
dim fileext
const adtypebinary = 1
filename = request.querystring("filename")
if filename = "" then
response.write "无效文件名!"
response.end
end if
fileext = mid(filename, instrrev(filename, ".") + 1)
select case ucase(fileext)
case "asp", "asa", "aspx", "asax", "mdb"
response.write "非法操作!"
response.end
end select
response.clear
if lcase(right(filename,3))="gif" or lcase(right(filename,3))="jpg" or lcase(right(filename,3))="png" then
response.contenttype = "image/*" 对图像文件不出现下载对话框
else
response.contenttype = "application/ms-download"
end if
response.addheader "content-disposition", "attachment; filename=" & getfilename(request.querystring("filename"))
set stream = server.createobject("adodb.stream")
stream.type = adtypebinary
stream.open
if lcase(right(filename,3))="pdf" then 设置pdf类型文件目录
truefilename = "/the_pdf_file_s/"&filename
end if
if lcase(right(filename,3))="doc" then 设置doc类型文件目录
truefilename = "/my_d_o_c_file/"&filename
end if
if lcase(right(filename,3))="gif" or lcase(right(filename,3))="jpg" or lcase(right(filename,3))="png" then
truefilename = "/all_images_/"&filename 设置图像文件目录
end if
stream.loadfromfile server.mappath(truefilename)
while not stream.eos
response.binarywrite stream.read(1024 * 64)
wend
stream.close
set stream = nothing
response.flush
response.end
%>
