Chrisj

There are several db tables ( phpmyadmin ) working with the web php script that I’m using (but did not write). The ‘user’ table has many fields, but pertaining to purchases it has these fields: ‘ip_address’ ‘username’ ‘wallet’ and ‘balance’. The ‘paid_videos’ table has these fields: id_user, video_play_price, id_video, user_id_uploaded, video_title, earned_amount, time_date, short_id, session_key video_id, time. The ‘transact’ table has these fields: username, id_user, amount, balance, wallet, wal_bal, user_id_uploaded, earned_amount, time_date. When a purchase is made a single row is populated in the ‘paid videos’ table and a single row is populated in the ‘transact’ table. Additional info: when a purchase is made, an amount of 50% of the price (‘earned_amount’) appears in uploader’s (user_id_uploaded) ‘earned_amount’ field, and gets added to the uploader’s ‘balance’ field. And that amount is also reflected in ‘amount’ by a negative number, and reduces the purchaser’s ‘wallet’ or ‘balance’ by that same amount. Also, wal_bal is total of wallet and balance. I am looking for comments/suggestions for improvement. And/or besides improvement, what am I missing?

Thanks for your reply. However, I have looked and wouldn't have posted if I could see the problem. I'm hoping another set of eyes might see what I don't. Any additional assistance is welcomed.

the php web video script that I'm trying to modify allows Users to purchase videos successfully, however, the video price that is reflected in the db ('u_paid_videos') table (where transaction info is stored) appears to show the default video price (video_play_price from the 'config' db table) every time, instead of the accurate video price. I'm not sure if this code needs to be tweaked so that the actual price will show in the 'video_play_price' column (in 'u_paid_videos' table): // get cost video // get the default video price, to use if there is no per video play price $db->where('name', 'video_play_price'); $db_cost = $db->getOne('config'); $video_cost = (float)$db_cost->value; // the number of submitted videos - used to determine if all records were inserted $count_video = count($id_array); $user_id = $user->id; $wallet = (float)str_replace(',', '', $user->wallet); $balance = (float)str_replace(',', '', $user->balance); // add up the video prices $amount = 0; foreach ($id_array as $id) { $video_id = (int)PT_Secure($id); // get video data $video = $db->where('id', $id)->getOne(T_VIDEOS); // add the video play price if any, or the default price $amount += $video->video_play_price?$video->video_play_price:$video_cost; } // determine if the user has enough credits if( ($wallet >= $amount) OR ($balance + $wallet >= $amount) ) { $db->startTransaction(); $inserted_records = 0; foreach ($id_array as $id){ $video_id = (int)PT_Secure($id); // get video data $video = $db->where('id', $id)->getOne(T_VIDEOS); // use the video play price if any, or the default price $video_cost_new = $video->video_play_price?$video->video_play_price:$video_cost; $uploader_amount = $video_cost_new *0.50; // add data to paid table $insert_buy = $db->insert('u_paid_videos', [ 'id_user' => $user_id, 'id_video' => $video_id, 'session_key' => $_SESSION['session_key'], 'video_play_price' => (string)$video_cost, 'video_title' => $video->title, 'user_id_uploaded' => $video->user_id, 'earned_amount' => $uploader_amount ]);

In fact, this blocks videos from playing at all: RewriteCond %{REQUEST_URI} \.(mp4)$ [NC] RewriteRule ^ validate.php?request_url=%{REQUEST_URI} [L] when these .htaccess lines are commented-out, the videos play as normal. Any additional help is welcomed.

Thanks for your reply. The php web script that I'm trying to modify generates the url/path from where the video file is stored, for example: http://......com/uploads/video/2019/10/BevI9Fl33FErYiqflaV8_31_1489faaeb187967564c2f5986a498c.mp4

I have added this to .htaccess: RewriteCond %{REQUEST_URI} \.(mp4)$ [NC] RewriteRule ^ validate.php?request_url=%{REQUEST_URI} [L] and added a validate.php file, containing this: <?php $v = $_GET['video'] ?? null; if(file_exists($v)) { unlink($v); header('Content-type: application/mp4'); header('Content-Disposition: inline; filename=video.mp4'); readfile("./mytestvideo.mp4"); } else http_response_code(404); to the root directory. And then searched and played a video, but still see the unmasked url/path to the video, instead of this type of url/path: http://mymp4.com?validate.php?video=40f677a45113eb829e345d278b8d1d31 as I was hoping for. I'm sure I must have something incomplete. Any additional guidance you'd like to share is much appreciated. Much thanks again

Many thanks again for your posting/reply. I have added this code to an .htaccess file: RewriteEngine OnRewriteCond %{REQUEST_URI} \.(mp4)$ [NC] RewriteRule ^ validate.php?request_url=%{REQUEST_URI} [L] I have added this php file: <?php $v = $_GET['video'] ?? null; if(file_exists($v)) { unlink($v); header('Content-type: application/mp4'); header('Content-Disposition: inline; filename=video.mp4'); readfile("./mytestvideoo.mp4"); } else http_response_code(404); named validate.php to the main directory. I just don't know what to do with this: //Generate the link $normalText = "this is just your average string with words and stuff"; $hashedText = md5($normalText); fopen($hashedTest, 'w'); echo "<a href='validate.php?video={$hashedText}'>Link to the video</a> should I put it in a .txt file and add it to my main directory? If so, named what? That's just what I'm not clear on before I test all this. I look forward to your comments/anything you'd like to share.

I thought hashed md5 solution would replace the url/path with a fake url/path that would disappear when the user session is over, and next time that video is played a new fake url/path will be displayed, so I understand "use it in order to identify which video your script should be displaying"?

Thanks for your reply. I don't understand what you mean by "and use it in order to identify which video your script should be displaying"

Thanks for your reply, but I've looked it over and am looking for feedback from higher skilled people than me

Thanks for your reply. Which one would work best for my request: " Is there a way to block or scramble the video's url from being available to be copied? If not, is there a way to have that url be available only if the potential viewer is 'logged-in' to the web site? Or some type of authentication based on checking for a user's PHP temp session file before allowing access from the video's url?"

???

Much thanks again. I have also looked into X-SENDFILE. Can you share why you may think the hash solution posted above might be better than X-SENDFILE solution? I look forward to any comments.

Thanks for your reply, i like a lot of what you explained, but because I’m learning as I go here, I don’t understand the term “hash” and also generating a GET parameter with the hash. I would welcome any additional explanation/elaboration/example that you’d like to share.

How about something like this: RewriteEngine OnRewriteCond %{REQUEST_URI} \.(mp4)$ [NC] RewriteRule ^ validate.php?request_url=%{REQUEST_URI} [L] # To disable or prevent the directory access/listing Options -Indexes with this validate.php?: <?phpsession_start(); if (!isset($_SESSION['login'])) { header ('Location: index.php'); exit(); } else { // Get server document root $document_root = $_SERVER['DOCUMENT_ROOT']; // Get request URL from .htaccess $request_url = $_GET['request_url']; // Get file name only $filename = basename($request_url); // Set headers header('Content-type: application/mp4'); header('Content-Disposition: inline; filename='.$filename); // Output file content @readfile($document_root.$request_url); } I look forward to any additional guidance/comments/suggestions