Jump to content

Recommended Posts

Hey.

 

I've tried google, and this site as well, but it's hard to decide what I need to search for...so hope this hasn't been asked before.

 

 

I'm building a music website, and need to control whether a file can be downloaded or not. All files can be streamed. The link for a file is like this:

 

http://localhost/download.php?id=1

 

This does several things:

 

First, it checks if $_GET['id'] and  $_SERVER['HTTP_REFERER'] is set. The second option, is because I don't wan't users to directly use the download.php file, only through links on the site.

This works fine.

 

Now I use a javascript player called soundManager2 for music on the site, and this is where i gets tricky. Here is the code for calling up that particular sound:

 

var lothario = soundManager.createSound({
						id: "lothario",
						url: "http://localhost/download.php?id=1",
						autoLoad: true,
						volume: 50
						});	

 

If I check for the $_SERVER['HTTP_REFERER'] in my download.php, the sound does not load.

If I don't check  for the $_SERVER['HTTP_REFERER'] in my download.php, the sound works fine.

 

Is there a way for download.php to check if it is my soundManager object that is requesting the file (ie the server) or it is a user requesting the file (ie the client).

 

Thank you.

 

Here is the full download.php:

 

<?php

//Define root for links
$abs_root = $_SERVER["DOCUMENT_ROOT"];
$rel_root = 'http://'.$_SERVER['HTTP_HOST']."/";

//Check if id is set, and if page is visited directly	
if(!isset($_GET['id']) || !isset($_SERVER['HTTP_REFERER'])){
	header('Location: ./');

}else{

	$id = $_GET['id'];

	//Connect to the mysql database
	require($abs_root.'/adm/mysql_connect.php');

	$query = "SELECT is_public FROM mp_mp3 WHERE id='$id'";


	if(mysql_query($query)){

		$result=mysql_query($query);

		//If no results
		if(mysql_num_rows($result)==0){

			echo 'No such file exists';
			exit();

		};



		$public=mysql_result($result,0,'is_public');

		//If it is allowed to download
		if ($public==0){

			$query = "SELECT link FROM mp_mp3 WHERE id='$id'";

			if (mysql_query($query))
			{
				$result=mysql_query($query);

				$link = mysql_result($result,0,'link');

				$filename = str_rot13($link);



				$ext = substr($filename,-3);
				$filename = rtrim($filename, $ext).".".$ext; 


				$file = $rel_root.'files/'.$link;

				//Send file to page
				header("Pragma: public");
				header("Expires: 0");
				header("Cache-Control: must-revalidate, post-check=0, pre-check=0"); 

				header("Content-Type: application/force-download");
				header( "Content-Disposition: attachment; filename=".$filename);

				header( "Content-Description: File Transfer");
				@readfile($file);

			}else{

				echo 'Could not connect to mp3 database. Please retry.';
				exit();

			};







		//If it is not allowed to download, this is hacking
		}elseif($public==1){

			echo 'You are not allowed to download this file';
			exit();

		}else{

			echo 'Mp3 database error. Public bit not set properly.';
			exit();


		}


	}else{

		echo 'Could not connect to mp3 database. Please retry.';
		exit();

	};




};







?>

 

 

 

you mean tell if it is being called thru an include or thru a request?

 

in the first page you could define a constant

 

define

 

and then in the page you're trying to figure out if included or not.. check defined for whatever constant you specified.

 

if the constant exists you're including, if it doesn't you're getting the page requested

you mean tell if it is being called thru an include or thru a request?

 

in the first page you could define a constant

 

define

 

and then in the page you're trying to figure out if included or not.. check defined for whatever constant you specified.

 

if the constant exists you're including, if it doesn't you're getting the page requested

 

Good idea, but it didn't work. The problem is, that the page isn't called through include or request, but using javascript. I'll try the same thing with sessions, see if that works.

I'll try the same thing with sessions, see if that works.

 

Huh, sessions made it work...however i think it's a bit messy solution. But i'll go for this, if you don't have any better ideas.

 

I defined a $_SESSION['in_music'] variable, and added a session_start() to the download.php, checked for the variable and then it worked.

 

EDIT: Oh not quite. Now I can access the download.php file directly. Hmm, back to thinking.

 

EDIT2: So, Of course I needed to destroy the session, then it didn't work by accessing directly. This might work.

sessions will work the same way.. you'd do the define something like this..

// whatever php includes files

define('in_script',$_SERVER['PHP_SELF']);

 

// whatever php you want to ONLY be included

if (!defined('in_script')) die('you have no access to this file');

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.