lothario Posted July 7, 2009 Share Posted July 7, 2009 Hey. I've tried google, and this site as well, but it's hard to decide what I need to search for...so hope this hasn't been asked before. I'm building a music website, and need to control whether a file can be downloaded or not. All files can be streamed. The link for a file is like this: http://localhost/download.php?id=1 This does several things: First, it checks if $_GET['id'] and $_SERVER['HTTP_REFERER'] is set. The second option, is because I don't wan't users to directly use the download.php file, only through links on the site. This works fine. Now I use a javascript player called soundManager2 for music on the site, and this is where i gets tricky. Here is the code for calling up that particular sound: var lothario = soundManager.createSound({ id: "lothario", url: "http://localhost/download.php?id=1", autoLoad: true, volume: 50 }); If I check for the $_SERVER['HTTP_REFERER'] in my download.php, the sound does not load. If I don't check for the $_SERVER['HTTP_REFERER'] in my download.php, the sound works fine. Is there a way for download.php to check if it is my soundManager object that is requesting the file (ie the server) or it is a user requesting the file (ie the client). Thank you. Here is the full download.php: <?php //Define root for links $abs_root = $_SERVER["DOCUMENT_ROOT"]; $rel_root = 'http://'.$_SERVER['HTTP_HOST']."/"; //Check if id is set, and if page is visited directly if(!isset($_GET['id']) || !isset($_SERVER['HTTP_REFERER'])){ header('Location: ./'); }else{ $id = $_GET['id']; //Connect to the mysql database require($abs_root.'/adm/mysql_connect.php'); $query = "SELECT is_public FROM mp_mp3 WHERE id='$id'"; if(mysql_query($query)){ $result=mysql_query($query); //If no results if(mysql_num_rows($result)==0){ echo 'No such file exists'; exit(); }; $public=mysql_result($result,0,'is_public'); //If it is allowed to download if ($public==0){ $query = "SELECT link FROM mp_mp3 WHERE id='$id'"; if (mysql_query($query)) { $result=mysql_query($query); $link = mysql_result($result,0,'link'); $filename = str_rot13($link); $ext = substr($filename,-3); $filename = rtrim($filename, $ext).".".$ext; $file = $rel_root.'files/'.$link; //Send file to page header("Pragma: public"); header("Expires: 0"); header("Cache-Control: must-revalidate, post-check=0, pre-check=0"); header("Content-Type: application/force-download"); header( "Content-Disposition: attachment; filename=".$filename); header( "Content-Description: File Transfer"); @readfile($file); }else{ echo 'Could not connect to mp3 database. Please retry.'; exit(); }; //If it is not allowed to download, this is hacking }elseif($public==1){ echo 'You are not allowed to download this file'; exit(); }else{ echo 'Mp3 database error. Public bit not set properly.'; exit(); } }else{ echo 'Could not connect to mp3 database. Please retry.'; exit(); }; }; ?> Quote Link to comment Share on other sites More sharing options...
RussellReal Posted July 7, 2009 Share Posted July 7, 2009 you mean tell if it is being called thru an include or thru a request? in the first page you could define a constant define and then in the page you're trying to figure out if included or not.. check defined for whatever constant you specified. if the constant exists you're including, if it doesn't you're getting the page requested Quote Link to comment Share on other sites More sharing options...
lothario Posted July 7, 2009 Author Share Posted July 7, 2009 you mean tell if it is being called thru an include or thru a request? in the first page you could define a constant define and then in the page you're trying to figure out if included or not.. check defined for whatever constant you specified. if the constant exists you're including, if it doesn't you're getting the page requested Good idea, but it didn't work. The problem is, that the page isn't called through include or request, but using javascript. I'll try the same thing with sessions, see if that works. Quote Link to comment Share on other sites More sharing options...
lothario Posted July 7, 2009 Author Share Posted July 7, 2009 I'll try the same thing with sessions, see if that works. Huh, sessions made it work...however i think it's a bit messy solution. But i'll go for this, if you don't have any better ideas. I defined a $_SESSION['in_music'] variable, and added a session_start() to the download.php, checked for the variable and then it worked. EDIT: Oh not quite. Now I can access the download.php file directly. Hmm, back to thinking. EDIT2: So, Of course I needed to destroy the session, then it didn't work by accessing directly. This might work. Quote Link to comment Share on other sites More sharing options...
RussellReal Posted July 8, 2009 Share Posted July 8, 2009 sessions will work the same way.. you'd do the define something like this.. // whatever php includes files define('in_script',$_SERVER['PHP_SELF']); // whatever php you want to ONLY be included if (!defined('in_script')) die('you have no access to this file'); Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.