Geek Answers Handbook

Hide or encrypt URL file files?

We welcome everyone and thank you for your time. I just wanted to say that although I am not a noobie in php, I still don’t know, and I still do not have enough knowledge to deal with some of these problems.

My current dilemma:

I have a database of user songs in which there is all kinds of information, including the location of these songs. The way I work, I have a php script that echos contains an xspf playlist file for a flash player to read for those who are watching songs. (the best part is that the player doesn't care that he is a php file if he gets the correct XML format).

The problem is that anyone can look at the source (for example, find that the player is using xspf.php? = Song_id = 10), and the php file displays everything in plain text. How can I hide or encrypt the mp3 location from users, but can the player still work correctly?

In the future, I will also be able to download tracks, but I want to find a way to hide the location, or maybe if it does not generate a temporary URL too much? Share what you think is the best solution to this problem.

And again in advance for any answers!

+7
php
source share
4 answers

I limited file access by contacting a php script that checks if the user has access to the file, and echo the file with readfile () if the user has access to the file. Then you can save the file in a directory that cannot be accessed directly through the URL.

+1
source share

Perhaps the player also does not care about file extensions. Can you put mp3 records in your playlist with url as play.php? Songid = some_encoded_value.

Then in play.php you should verify that the user has a valid session. You can also record the number of times a songid (if generated) can be used to access a song - set this to 1 or 2? But depending on the player’s behavior (several requests for a broken connection, etc.) This may not be the safest idea, but it should be in order.

Please note that advanced users / developers who want to download songs will nevertheless be able to hack more or less. The solution for this is to stream songs encoded into the player where the player will decode.

But then the decoder algorithm in the flash player can be decrypted, etc.

The more you work, the safer, but absolute security is actually impossible.

Edit: A song map usually requires a mapping table between the actual songid files and the real mp3 files. The mapping may be in session memory, but preferably in a database. The play.php file will use the readfile (or similar) function to output the song to the output. In addition, mp3 files can also be stored in a database in binary blocks.

+5
source share

I do not know PHP, but the concept is reasonable, I would suggest the following:

  • Use some encryption key specific to the current user session and pass it along with the xspf.php file.
  • Do not save the direct location of the MP3 files in the generated XML, but use a PHP file (with the key passed to the user associated with the session, which is then verified) to serve the MP3 file for the Flash plugin and store the MP3 files in a directory that is not accessible through a static and public URL (so perfect outside of your web root).
+2
source share

Do not worry. Consider a situation where Flash Player is behind a proxy. In either case, you will see all the proxy server urls. To verify this, use Fiddler (a free tool that acts as a proxy server and shows HTTP traffic).

+1
source share

More articles:


All Articles