Using PHP to hide source file

[sh0wtym3]

Hey all,

 

I am providing links on my website for users to stream music, however I want to prevent them from downloading it. I use the following code to display a link to stream the music:

 

echo "<a href=\"http://www.mysite.com/play.php?cmd=play&track=$track\" onclick=\"window.open('http://www.mysite.com/play.php?cmd=play&track={$row['filename']}','','scrollbars=no,menubar=no,height=350, width=330,resizable=yes,toolbar=no,location=no,status=no');return false;\">Click Here to Listen</a>";

 

Which redirects them to play.php. The code for play.php is shown below.

 

<?php
$track = $_GET['track'];
?>
<object id="MediaPlayer1" width=321 height=45
classid="CLSID:22D6F312-B0F6-11D0-94AB-0080C74C7E95"
codebase="http://activex.microsoft.com/activex/controls/mplayer/en/nsmp2inf.cab#Version=5,1,52,701"
standby="Loading Microsoft® Windows® Media Player components..." 
type="application/x-oleobject" align="middle">
<param name="FileName" value="<?php echo "uploads/$track"; ?>">
<param name="AutoStart" value="True">
<param name="ShowStatusBar" value="False">
<param name="DefaultFrame" value="mainFrame">
<embed type="application/x-mplayer2" 
pluginspage = "http://www.microsoft.com/Windows/MediaPlayer/"
src="<?php echo "uploads/$track"; ?>" align="middle"
width=321
height=45
defaultframe="rightFrame"
showstatusbar=true>
</embed>
</object>

 

The only problem is, when you right click and view source on play.php (or view properties on the windows media plug in), you can see the file path where the mp3 is streaming from.

 

For example it would show http://mysite.com/uploads/mysong.mp3

 

I wanted to know if there is a way to hide this to prevent unauthorized downloading?

[DarkWater]

You'd need to write a script that gets the right MIME type for the music, sends out the right headers, and then serves the music with readfile().

[sh0wtym3]

If possible can you help point me in the right direction?

 

EDIT:

 

I looked up readfile() on php.net and they have the following example:

 

<?php
$file = 'monkey.gif';

if (file_exists($file)) {
    header('Content-Description: File Transfer');
    header('Content-Type: application/octet-stream');
    header('Content-Disposition: attachment; filename='.basename($file));
    header('Content-Transfer-Encoding: binary');
    header('Expires: 0');
    header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
    header('Pragma: public');
    header('Content-Length: ' . filesize($file));
    ob_clean();
    flush();
    readfile($file);
    exit;
}
?>

 

But this prompts the user to stream or download, I want the music to stream always, and let the user access the "controls" (i.e. stop, play, raise or lower the volume, etc).

[DarkWater]

I've personally never seen a tutorial on this, but maybe someone knows of one.  Wait.  Will all the files be MP3 files?

[discomatt]

You do know 'streaming' means 'downloading on the fly' in this context.

 

If they can hear it, it's on their computer. Even if you could 'stop' this somehow, they can simply record what they're hearing.

[DarkWater]

You do know 'streaming' means 'downloading on the fly' in this context.

 

If they can hear it, it's on their computer. Even if you could 'stop' this somehow, they can simply record what they're hearing.

 

Yeah, it's actually impossible to stop them from getting the music.  My method just stops them from knowing the direct link, but they can still check their cache or, as discomatt said, just directly record it.

[sh0wtym3]

DarkWater: Yes, they will all be MP3.

 

Discomatt: I understand, I still want to make it as hard as possible for them to "steal" the mp3s.

 

 

If there's any other ways to accomplish this I'm open to suggestions.

 

I was thinking of streaming the files in low quality, or adding "tags" to the MP3.

 

"Tags" = A tag is some kind of audio - usually spoken - that is layered over your music. Often times it contains information about the artist and/or his company. The primary reason for using a tag is to minimize people using the music illegally, and to encourage them to purchase the "untagged" version.

 

Either way I would like to figure out how to hide the source file first.

[discomatt]

Your best bet, as DarkWater said, is to have the files outside of webroot and serve them with a PHP file. This has several advantages... you can perform any amount of checks before actually serving the file.

 

You could, for example, output a 404 error if the user isn't logged in when trying to download, limit downloads per user/ip/ect or check for the existence of session variables that a previous page could create.

 

There are downsides to this though. The biggest is the overhead of streaming the file through the PHP engine. There are tricks to keeping your RAM footprint down, but it will start eating away at CPU time if you have to stream to several users at a time.

 

Your best bet is to read up here

 

http://teddy.fr/blog/how-serve-big-files-through-php

[sh0wtym3]

Thanks man I'm looking into that now.