s0c0 Posted April 18, 2007 Share Posted April 18, 2007 I have a php/mysql based web app that allows people to upload music and stream it from my site. The each have their own account and are given a session once logged in. The music plays through a flash based player, the flash player gets a listing of the files in their playlist via an xml file. This xml file is included as a url string in the flash players object code. Looks similar to this: /player/player.swf?playlist_url=/users/chris/default.xmlf&autoload=1 Now eventually a user will try plugging that url into their browser and will get a clear text look at the xml file. They will then figure they can begin guessing usernames and can get a clear text look at someone else xml file. This file will contain links to the mp3 file, they will plug these links into their browser and get free music. This is a copyright infringement or something for me, and I just don't want that to happen. Furthermore I would like to create plugins allowing people to put the player on their blog, myspace, website etc.. This idea truly opens the flood gates. So what can I do to stop people from reading the file while still allowing the flash player to get the mp3 urls? I'm really scratching my head on this. Please advise. Quote Link to comment Share on other sites More sharing options...
448191 Posted April 18, 2007 Share Posted April 18, 2007 You might be able to use the sfw extension to dynamically modify the file. Then you can place xml and mp3 files outside of the docroot, i.e.: /player/player.php?users=chris&autoload=1 Or, simply don't put anything risky in the xml file (other than mp3 file uris), and focus only on making other's mp3 files unavailable. That shouldn't be too hard using the file stream functions and a 'form key' (plus secure sessions). I.e.: 1) use a dynamic (hidden form) key to append to the request from the client using javascript: /player/player.php?users=chris&autoload=1&key=1f3870be274f6c49b3e31a0c6728957f 2) In the xml, link to a php script to get the mp3 file, ie: mp3.php?songId=2085&key=1f3870be274f6c49b3e31a0c6728957f 3) In mp3.php you check the following: a) Should the user with session id someid get access to the requested mp3 file? b) Is the form key associated with that session id? If both questions check out, return (or stream) the mp3 file. Be sure to regenerate the session id whenever something changes, e.g. permission to a file is added or removed. Regenerate the form key upon EVERY request, and force a new request when the session id changes. Quote Link to comment Share on other sites More sharing options...
s0c0 Posted April 18, 2007 Author Share Posted April 18, 2007 These are good ideas and seem fairly simple to implement. Thanks for your input. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.