Newbie: Security Suggestions Needed to Prevent Access

[MikeinSC]

I am developing a site which will allow users to listen to Mp3 files from consenting artists. What I do not want to happen, is to lose the trust of my artists and have their material downloaded without their consent. I am setting up an embedded flash player which will play their music directly off the site. However, if you "view" the source code page, a knowledgable individual can see the file path where the files are located. So, all they would need to do is type out the full path in the URL, a media player then opens up, thus, allowing the user to download the file through the media player. I have tried this, and I am able to do it.

I attempted to use "hotlink protection", and purposely omitted the domain name I am using so that it would prevent potential individuals from getting to the files. However, that does not seem to be working.

Anyhow, I am looking for a way to protect these files. If it is a permission aspect, would I set the permissions to the whole folder where the files are located? If so, what would I set the permissions to?

Thanks everyone,

Mike

[PsiPro]

If you put the full URL there, it will be impossible to prevent people from donwloading it.

The easiest way to get around this is to associate each file name with somthing that isn't human readable such as a number or a HASH then have your flash player query a script to find the actual path to load the file from.

[WHMAutoPilot]

Expanding on PsiPro, it would be similar to this to validate the key for playing the music file and not showing the full url to the music file.

PHP Code:

<?php

/*
sample url: http://yoursite.com/playmusic.php?v=958d98f9s09d8f
that is the url for the player on the page, not the url to the music

create a random 16 character key using the function below
$musickey=substr(md5(date("r")), -16);

This should be generated and stored when the record is created and should not be on the same file as the player or it will cancel out the $v variable in the url.

create a database for the music file, then add the table for that database as shown below. quick and simple

CREATE TABLE `mp3_files` (
`music_id` bigint(22) unsigned NOT NULL auto_increment,
`music_filename` varchar(255) NOT NULL default '0',
`music_key` bigint(22) NOT NULL default '0',
 PRIMARY KEY  (`music_id`),
 KEY `music_filename` (`music_filename`),
 KEY `music_key` (`music_key`)
 ) TYPE=MyISAM AUTO_INCREMENT=1 ;

*/

// define your default music location
$query="select ";
$query.="* ";
$query.="from ";
$query.="mp3_files ";
$query.="where music_key='".$v."'";

$music=mysql_fetch_assoc(mysql_query($query));

$mp3file=$music['music_filename'];

// need to make sure that (a) a music key was entere and (b) it is valid based on mysql query
if($v && $music)
    {
    // not sure what you are using or I could put a sample embed tag here but this is where it will go
    }
else
    {
    echo "invalid music key provided";
    // you can also warn them for abuse here
    // you can send them to another page
    // you can grab their IP and log it
    }

?>

Or, you can do a quick search on flash music player via Google and come up with this one that allows you to embed the player and still now show the full path, it uses a defined base path for the files and pulls from that variable for the song file.

http://www.premiumbeat.com/flash_res...mp3_player.php

Quote:

Sample ablolute path:
so.addVariable("soundPath", "/files/song.mp3");
In this case the mp3 file would be located at www.site.com/files/song.mp3

Sample relative path:
so.addVariable("soundPath", "song.mp3");
In this case the mp3 file would be located at www.site.com/song.mp3

[MikeinSC]

First...thanks to both PSIPro and WHMAutopilot for the information. Very helpful. Unfortunately, I am not much of a programmer or dba for that matter. However, I do have a friend of that is very knowledgable with mysql. I think I will show him the suggestions that were mentioned and see if we can put something together.

Also, I have actually looked at the premium beat flash music player. It is good. The only problem is that there is an embedded link directly in the compiled flash file which could direct users to their site. Good for them...bad for me. Anyhow, I am using another player that seems to do the trick, without offering up a link to another site.

After I submitted my initial post, another thought I had was to have the mp3 play in either a lofi format, or, I could add some speech audio information at the end of each track; ie. "Thank you for listening to song 123". However, if a user wished to buy the mp3, they would directed to a higher quality file, without any annoying speech audio overage information.

It may just come down to which method is going to take up the least amount of time.

Thanks again,

Mike

[slapshotw]

I've had really good success using this player for that:

http://www.wimpyplayer.com/

[charlesgan]

IMO.. only demo clip 10sec-30 sec is put online.

and.. the paid mp3 is added to member personal account, with their download link. by this you can monitor times they downloading it as well