Security Help

[Twistedweb123]

Hey, so basically this is what im trying to do:

 

I'm writing an mp3 store, and want the user to be able to play the whole track before purchase. Currently all the music files are in a protected folder with permissions set so access isnt possible.

 

The mp3 player calls play.php?fid=encryptedfileid rather than the direct music link. This is all working perfectly.

 

The bit i am now stuck on is stopping the users going to play.php?fid=encryptedfileid directly and downloading the mp3 directly.

 

How do I make it so the server can execute the play.php file, but the user cannot?

 

I attempted to set a cookie in play.php and deny access if cookie was present, however the server also set the cookie, so this didnt work.

 

See play.php code (in this example, fid is just the filename, but it will be more encrypted, calling to a special md5 hash, albumid and artistid).

 

<?PHP

// Define the path to file
$filename=$_GET[fid];
$file = "music/$filename.mp3";

if(!$file)
{
     // File doesn't exist, output error
     die('file not occupied');
}
elseif(!file_exists($file))
{
    die('Error: File not found.');
}
else
{
     // Set headers
     header("Cache-Control: public");
     header("Content-Description: File Transfer");
     header("Content-Disposition: attachment; filename=$file");
     header("Content-Type: application/octet-stream");
     header("Content-Transfer-Encoding: binary");
    
     // Read the file from disk
     readfile($file);
}
?>

 

So to clarify, I need the server to access and execute this script with the mp3 player (simple javascript player) and the server not be able to visit play.php?fid=xxx directly to download.

 

Thanks

[Muddy_Funster]

Off the top of my head I would suggest an intermediate page, that checks the md5 from the user page, generates another hash and passes that onto your file play page using $_POST and include_once(); that way what people see in the bar isn't actualy how they access the file.

[Adam]

Off the top of my head I would suggest an intermediate page, that checks the md5 from the user page, generates another hash and passes that onto your file play page using $_POST and include_once(); that way what people see in the bar isn't actualy how they access the file.

 

Then all the user has to do is go that URL instead?

 

At the end of the day it's impossible to prevent the user from downloading them. In-fact the user (the browser) has to download it just to play it. All you can do is obfuscate the process, but anyone who wants it will get it. That's why no sites will allow you to listen to a track before you purchase it.

[cunoodle2]

I think for something like this you will pretty much need to use flash.  That or edit the songs with advertisements in the center of them.  If the user buys the mp3 then they get the actual full song without advertisements.

[chaseman]

Maybe you should not use GET and solve your problem differently.

 

One reason why other websites manage to stream music but not make them downloadable is simply the user never finds out the actual URL to the mp3, which is hidden under hood in the script.

 

And most streaming websites make use of flash mp3 players (as someone suggested already).

 

That way it's still possible to get the mp3, but it's much harder, what most people do in such a case is, they make use of recording software to record the audio that is coming out of the speakers.

 

If you play the full song == they will have the full song.

 

But you can still make it harder to download, the convenient user will pay.

 

[Twistedweb123]

So my best option is to host 2 files, the preview and the main. have the mp3 link to the preview, the user can have that, no biggie to mae as it will be like 20 seconds long. Then when they buy they can download the real one (with a script i will make similar to play.php but it will include database queries to make sure user has purchased etc.

 

 

 

I thought ^^ that would would have to be my option without flash. My second question. Is there a possible way to create a preview of an mp3 file on the fly when uploading the main?

[PaulRyan]

You're in luck as there is a way TwistedWeb123, but if you're on shared hosting you probably cannot do it.

 

It's called FFMPEG, its what Youtube to MP3 downloaders use to rip audio from videos, I have success with this on my own computer using my localhost on Windows, but there is tutorials out there for using this on a live website.

 

It requires alot of config, but could be what you're looking for, if not then you could always install on your home computer then get first 20seconds of the song and upload at the same time as the song?

 

Install on Windows: http://www.vidionline.com/php/7-how-to-install-ffmpeg-on-windows

 

Regards, PaulRyan.

[Twistedweb123]

The budget the client is paying, I think i'll just prompt the user to upload a preview & mp3 file. The site is based around the user selling their own music, so in theory they should be able to edit the track and upload a preview to encourage sales

[Adam]

Maybe you should not use GET and solve your problem differently.

 

One reason why other websites manage to stream music but not make them downloadable is simply the user never finds out the actual URL to the mp3, which is hidden under hood in the script.

 

Whatever makes the request, it uses the browser to do it. It's easy to track what requests are being made behind the scenes - even for Flash.

[chaseman]

Maybe you should not use GET and solve your problem differently.

 

One reason why other websites manage to stream music but not make them downloadable is simply the user never finds out the actual URL to the mp3, which is hidden under hood in the script.

 

Whatever makes the request, it uses the browser to do it. It's easy to track what requests are being made behind the scenes - even for Flash.

Yeah that makes sense, so how do other websites manage this problem? Even when they make previews available, I thought those previews are taken from the original full length with a script that takes only 30 seconds of the mp3. But if that would be the case the user would have the URL to the full length mp3 , since the browser does a request.

 

Which on the other hand means, they would need separate mp3s for the previews, to make it secure?

 

Sounds like a lot of duplicate work.

[Adam]

I can't honestly say I know how other large music websites do it, as I've never looked into this much. I had a quick look at a preview on the Amazaon MP3 store, and all they do is play about a minute of a sample track. Amazon's a little different though, because they'll have a feed of data (I imagine) for this kind of thing. Say they didn't, they'd have software on their servers that would generate the sample. The full-length track would obviously only be available to logged in, purchased customers. A request to the URL for the full-length track for un-purchased users would just return an error.