|
|
Posted by Gordon Burditt on 12/01/06 01:36
>I have a website where I host guitar lessons. I force people to register in
>order to listen to audio. But I don't think I am using a good method for
>protecting the files and preventing people from reverse engineering to
>figure out the link.
I'd like to suggest that you make it so it DOESN'T MATTER if they
figure out the link, because there is NO link that doesn't check
if they are registered and logged in first.
What do you mean by "protecting the files"? If you mean "only
registered people may fetch the files", that isn't difficult (see
below). If you mean "people may listen to, not save a copy of, the
files", that's hopeless.
>For instance, the files are located at
>www.mysite.com/myaudio/
>
>Here is the code I use to process the the audio links:
>
>
>function GetLink($exid, $type) {
> if ((!pnUserLoggedIn()) && ($type != 4)) {
> session_start();
> $_SESSION['lasturl'] = getenv("HTTP_REFERER");
>
> include("header.php");
> OpenTable();
> echo "You must be a registered user to access lesson audio. You can <a
>href = \"user.php?op=register&module=NS-NewUser\">register</a> now for
>free.";
> CloseTable();
> include("footer.php");
> return;
> }
Now here, instead of storing a url, store a file name, which points
OUTSIDE THE DOCUMENT TREE, where the file is physically stored.
However, you do need to make sure that a PHP script can open that
file. There's *NO* url that goes directly to the audio files themselves.
> if ($type == 0) {
> $result = mysql_query("select url, file from nuke_mainlessons_exercises
>where exid = $exid");
> list($url, $file)=mysql_fetch_row($result);
Don't redirect them to the file, SEND THE FILE RIGHT NOW:
header("Content-type: audio/mp3"); /* whatever MIME type is appropriate for the file */
> if ($url == "") {
> $file = pnGetBaseFILEDIRECTORY()."$file";
> } else {
> $file = "$url";
> }
fpassthru($link);
Note that you have to avoid any output from the script if you're going
to send the file: no header, footer, html, or any of that stuff. From
the point of view of the browser, if it's being run by a logged-in user,
this php script *IS* the audio file, so don't corrupt it with HTML junk.
The only non-header stuff you send on a successful fetch is from
fpassthru(). You can output HTML error messages and such if they fail
the login check and you aren't going to send the file.
>After the command is successful, Media Player laucnes and shows the name of
>the file. So if someone knows the file is at www.mysite.com/myaudio/ then
>they can just append the audio clip name to that url and access the audio.
>What is the proper way to do this?
Have the PHP script return the audio (after checking for a valid login).
Navigation:
[Reply to this message]
|