Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Hide or encrypt urls of files?

Tags:

php

Hello everyone and thank you for your time. I would just like to say that even though I'm no noobie at php, I don't know everything yet and I still lack some knowledge to be able to tackle some of these problems.

My current dilemma is:

I have a database with user-made songs that have all kinds of information including the location of said songs. The way I have it working is I have a php script that echos a xspf playlist document for a flash player to read for whoever is browsing the songs. (the best part being that the player doesn't care that it's a php file as long as it receives the correct xml format).

The problem is that anybody can look at the source (for example find that the player uses xspf.php?=song_id=10), and the php file will output everything in plain text. How could I hide or encrypt the location of the mp3 from users but still be able for the player to work properly?

I will also in the future have users be able to download tracks but I want to find a way to hide the location or maybe if it isn't too hard generate a temporary url? Do share what you think is best to tackle this problem.

And again thanks in advance for any responses!

like image 347
Tek Avatar asked Feb 05 '10 08:02

Tek


People also ask

How do I encrypt a URL?

Under Website security, click Traffic encryption (HTTPS/SSL). Choose when you want to redirect visitors to the secure URL. All http page requests will be redirected to the encrypted https page.

What files should be encrypted?

It's a good idea to get in the habit of encrypting any files that contain sensitive data, from your passwords to your financial bank account details. Even simple things, like your children's ages and their photos, may benefit from encryption when being sent over unsecured networks or between devices.


4 Answers

Maybe the player also doesn't care about the extension of the files. You can put mp3 entries into your playlist with url's like play.php?songid=some_encoded_value.

Then in play.php, you have to verify the user to have a valid session. You can also keep record of the number of times a songid (if generated) can be used to access a song - set this 1 or 2? But depending on the player behavior (multiple requests on broken connection, etc) this may not be the safest idea, but should be ok generally.

Note however that advanced users / developers who want to download the songs will be able nevertheless with more or less hacking. A solution for that would be streaming the songs encoded into the player, where the player would decode.

But then the decoder algorithm in the flash player could be deciphered, etc.

The more you work the safer you are, but absolute safety is not really possible.

Edit: The songid scheme would naturally require some mapping table between actual songid's and real mp3 files. The mapping can be in session memory, but preferrably in a database. The play.php file would use the readfile function (or similar) to output the song on the output. Alternatively, mp3 files can also be stored in the database in binary blobs.

like image 152
ron Avatar answered Oct 23 '22 00:10

ron


I don't know PHP, but concept wise, I would suggest the following:

  1. Use some encryption key that is specific for the current user's session and pass that along to the xspf.php file.
  2. Do not store the direct location of the MP3 files in the generated XML, but use a PHP file (with the user generated, session related key passed in - which is then validated) to serve the MP3 file to the Flash plugin, and keep the MP3 files in a directory not accessible through a static and public URL (so ideally outside of your web root).
like image 43
Wim Avatar answered Oct 23 '22 00:10

Wim


I have restricted access to files by linking to a php script which checks if the user has access to the file, and echoing the file with readfile() if the user has access to the file. You can then keep the file in a directory that can't be accessed directly through a URL.

like image 32
Kristian J. Avatar answered Oct 22 '22 22:10

Kristian J.


Don't bother. Consider the situation where the Flash Player is behind a proxy. You'll see every URL in the proxy anyway. To see for yourself, use Fiddler (free tool, acts as proxy and shows HTTP traffic).

like image 1
MSalters Avatar answered Oct 23 '22 00:10

MSalters