Hello everyone and thank you for your time. I would just like to say that even though I'm no noobie at php, I don't know everything yet and I still lack some knowledge to be able to tackle some of these problems.
My current dilemma is:
I have a database with user-made songs that have all kinds of information including the location of said songs. The way I have it working is I have a php script that echos a xspf playlist document for a flash player to read for whoever is browsing the songs. (the best part being that the player doesn't care that it's a php file as long as it receives the correct xml format).
The problem is that anybody can look at the source (for example find that the player uses xspf.php?=song_id=10), and the php file will output everything in plain text. How could I hide or encrypt the location of the mp3 from users but still be able for the player to work properly?
I will also in the future have users be able to download tracks but I want to find a way to hide the location or maybe if it isn't too hard generate a temporary url? Do share what you think is best to tackle this problem.
And again thanks in advance for any responses!
Under Website security, click Traffic encryption (HTTPS/SSL). Choose when you want to redirect visitors to the secure URL. All http page requests will be redirected to the encrypted https page.
It's a good idea to get in the habit of encrypting any files that contain sensitive data, from your passwords to your financial bank account details. Even simple things, like your children's ages and their photos, may benefit from encryption when being sent over unsecured networks or between devices.
Maybe the player also doesn't care about the extension of the files. You can put mp3 entries into your playlist with url's like play.php?songid=some_encoded_value.
Then in play.php, you have to verify the user to have a valid session. You can also keep record of the number of times a songid (if generated) can be used to access a song - set this 1 or 2? But depending on the player behavior (multiple requests on broken connection, etc) this may not be the safest idea, but should be ok generally.
Note however that advanced users / developers who want to download the songs will be able nevertheless with more or less hacking. A solution for that would be streaming the songs encoded into the player, where the player would decode.
But then the decoder algorithm in the flash player could be deciphered, etc.
The more you work the safer you are, but absolute safety is not really possible.
Edit: The songid scheme would naturally require some mapping table between actual songid's and real mp3 files. The mapping can be in session memory, but preferrably in a database. The play.php file would use the readfile function (or similar) to output the song on the output. Alternatively, mp3 files can also be stored in the database in binary blobs.
I don't know PHP, but concept wise, I would suggest the following:
I have restricted access to files by linking to a php script which checks if the user has access to the file, and echoing the file with readfile() if the user has access to the file. You can then keep the file in a directory that can't be accessed directly through a URL.
Don't bother. Consider the situation where the Flash Player is behind a proxy. You'll see every URL in the proxy anyway. To see for yourself, use Fiddler (free tool, acts as proxy and shows HTTP traffic).
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With