Play video outside root directory

[jkkenzie]

Hi! I have tried to add this link to the player under file:"sales/getfFile.... But it its saying bad source. When this code pasted on the address bar , i can download the file..... But the player cannot.

$VideoF= stripslashes($_GET['download_file']);
$VideoIm = preg_replace('/\.[^.]+$/','',$VideoF);

if(isUserLoggedIn())
{ 
?>
	<script type="text/javascript" src="jwplayer/jwplayer.js"></script>
    <script type="text/javascript" src="jwplayer/jwplayer.html5.js"></script>
    <div id="myElement">Loading the player...</div>
    
    <script type="text/javascript">
        jwplayer("myElement").setup({
            file: "sales/getfFile.php?download_file=<?php echo $VideoF; ?>",
             image: "sales/assets/img/history/<?php echo $VideoIm; ?>.jpg"
        });
    </script>
<?php
}
?>

the download script is :

	$path_parts = pathinfo($_GET['download_file']);
	$file_name  = $path_parts['basename']; 
	 $fullPath = "../privatefolder/".$file_name;

	
	if ($fd = fopen ($fullPath, "r")) {
		$fsize = filesize($fullPath);
		$path_parts = pathinfo($fullPath);
		$ext = strtolower($path_parts["extension"]);
		switch ($ext) {
			case "pdf":
			header("Content-type: application/pdf"); // add here more headers for diff. extensions
			header("Content-Disposition: attachment; filename=\"".$path_parts["basename"]."\""); // use 'attachment' to force a download
			break;
			case "mp4":
			header("Content-type: video/mp4"); // add here more headers for diff. extensions
			header("Content-Disposition: attachment; filename=\"".$path_parts["basename"]."\""); // use 'attachment' to force a download
			break;
			default:
			header("Content-type: application/octet-stream");
			header("Content-Disposition: filename=\"".$path_parts["basename"]."\"");
		}
		header("Content-length: $fsize");
		header("Cache-control: private"); //use this to open files directly
		while(!feof($fd)) {
			$buffer = fread($fd, 2048);
			echo $buffer;
		}
	}
	fclose ($fd);
	exit;

Do you guys have netter way of playing videos outside root directory?

[Muddy_Funster]

have you tried echoing the contents of the $fullpath variable once it's set?

[.josh]

sidenote: if you can paste the path/to/file in your browser's address bar and it works, then it's not outside of your root directory. 

[jkkenzie]

Hi!

I have changed the script all together:

Am able to download the file outside root directory BUT iam not able to play it.

The script below: i have disabled the "Content Disposition" so that it does not force download. but nothing happens. the player keeps rotating without an error:

		
		define('ALLOWED_REFERRER', '');
		
		// Download folder, i.e. folder where you keep all files for download.
		// MUST end with slash (i.e. "/" )
		//define('BASE_DIR','/home/user/downloads/');
		define('BASE_DIR',$_SERVER['DOCUMENT_ROOT'].'/../privatelogged/');
		
		// log downloads?  true/false
		define('LOG_DOWNLOADS',true);
		
		// log file name
		define('LOG_FILE','downloads.log');
		
		// Allowed extensions list in format 'extension' => 'mime type'
		// If myme type is set to empty string then script will try to detect mime type 
		// itself, which would only work if you have Mimetype or Fileinfo extensions
		// installed on server.
		$allowed_ext = array (
		
		  // archives
		  'zip' => 'application/zip',
		
		  // documents
		  'pdf' => 'application/pdf',
		  'doc' => 'application/msword',
		  'xls' => 'application/vnd.ms-excel',
		  'ppt' => 'application/vnd.ms-powerpoint',
		  
		  // executables
		  'exe' => 'application/octet-stream',
		
		  // images
		  'gif' => 'image/gif',
		  'png' => 'image/png',
		  'jpg' => 'image/jpeg',
		  'jpeg' => 'image/jpeg',
		
		  // audio
		  'mp3' => 'audio/mpeg',
		  'wav' => 'audio/x-wav',
		
		  // video
		  'mp4' => 'video/mp4',
		  'mpeg' => 'video/mpeg',
		  'mpg' => 'video/mpeg',
		  'mpe' => 'video/mpeg',
		  'mov' => 'video/quicktime',
		  'avi' => 'video/x-msvideo'
		);
		
		
		
		####################################################################
		###  DO NOT CHANGE BELOW
		####################################################################
		
		// If hotlinking not allowed then make hackers think there are some server problems
		if (ALLOWED_REFERRER !== ''
		&& (!isset($_SERVER['HTTP_REFERER']) || strpos(strtoupper($_SERVER['HTTP_REFERER']),strtoupper(ALLOWED_REFERRER)) === false)
		) {
		  die("Internal server error. Please contact system administrator.");
		}
		
		// Make sure program execution doesn't time out
		// Set maximum script execution time in seconds (0 means no limit)
		set_time_limit(0);
		
		if (!isset($_GET['video']) || empty($_GET['video'])) {
		  die("Please specify file name for download.");
		}
		
		// Nullbyte hack fix
		if (strpos($_GET['video'], "\0") !== FALSE) die('');
			
		// Get real file name.
		// Remove any path info to avoid hacking by adding relative path, etc.
		$fname = basename($_GET['video']);
		$fname="K@1~@".$fname;
		// Check if the file exists
		// Check in subfolders too
		function find_file ($dirname, $fname, &$file_path) 
		{
		
		  $dir = opendir($dirname);
		
		  while ($file = readdir($dir)) {
			if (empty($file_path) && $file != '.' && $file != '..') {
			  if (is_dir($dirname.'/'.$file)) {
				find_file($dirname.'/'.$file, $fname, $file_path);
			  }
			  else {
				if (file_exists($dirname.'/'.$fname)) {
				  $file_path = $dirname.'/'.$fname;
				  return;
				}
			  }
			}
		  }
		
		} // find_file
		
		// get full file path (including subfolders)
		$file_path = '';
		find_file(BASE_DIR, $fname, $file_path);
		
		if (!is_file($file_path)) {
		  die("File does not exist. Make sure you specified correct file name."); 
		}
		
		// file size in bytes
		$fsize = filesize($file_path); 
		
		// file extension
		$fext = strtolower(substr(strrchr($fname,"."),1));
		
		// check if allowed extension
		if (!array_key_exists($fext, $allowed_ext)) {
		  die("Not allowed file type."); 
		}
		
		// get mime type
		if ($allowed_ext[$fext] == '') {
		  $mtype = '';
		  // mime type is not set, get from server settings
		  if (function_exists('mime_content_type')) {
			$mtype = mime_content_type($file_path);
		  }
		  else if (function_exists('finfo_file')) {
			$finfo = finfo_open(FILEINFO_MIME); // return mime type
			$mtype = finfo_file($finfo, $file_path);
			finfo_close($finfo);  
		  }
		  if ($mtype == '') {
			$mtype = "application/force-download";
		  }
		}
		else {
		  // get mime type defined by admin
		  $mtype = $allowed_ext[$fext];
		}
		
		// Browser will try to save file with this filename, regardless original filename.
		// You can override it if needed.
		
		if (!isset($_GET['fc']) || empty($_GET['fc'])) {
		  $asfname = $fname;
		}
		else {
		  // remove some bad chars
		  $asfname = str_replace(array('"',"'",'\\','/'), '', $_GET['fc']);
		  if ($asfname === '') $asfname = 'NoName';
		}
		
		// set headers
		header("Pragma: public");
		header("Expires: 0");
		header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
		header("Cache-Control: public");
		header("Content-Description: File Transfer");
		header("Content-Type: $mtype");
		//header("Content-Disposition: attachment; filename=\"$asfname\"");
		header("Content-Transfer-Encoding: binary");
		header("Content-Length: " . $fsize);
		
		// download
		// @readfile($file_path);
		$file = @fopen($file_path,"rb");
		if ($file) {
		  while(!feof($file)) {
			print(fread($file, 1024*);
			flush();
			if (connection_status()!=0) {
			  @fclose($file);
			  die();
			}
		  }
		  @fclose($file);
		}
		
		// log downloads
		if (!LOG_DOWNLOADS) die();
		
		$f = @fopen(LOG_FILE, 'a+');
		if ($f) {
		  @fputs($f, date("m.d.Y g:ia")."  ".$_SERVER['REMOTE_ADDR']."  ".$fname."\n");
		  @fclose($f);
		}

If i disable the "Content-Length" and "Content-Type" i get very many  characters and symbols %$&%^&%^&%^&%^ on screen...

 

Thanks for your responses...