Protecting mp3 files on website?

"Brian Huether" <bhuetherNO@comcastSPAM.net> schreef in bericht
news:F7KdncvY8Z9bBvLYnZ2dnUVZ_omdnZ2d@comcast.com. ..
>>> <Files .htaccess>
>>> order allow,deny
>>> deny from all
>>> </Files>
>> You need to remove the <Files .htaccess> and </Files> line. That is
>> restricting the deny from all directive to the .htaccess file.
> I am wonering though if having that blanket deny statement might break
> other aspects of my site (i.e. I have photos and sometimes give people
> links to photos, etc).
For sure it will ....
Try
<FilesMatch "\.(mp.|wav)$">
order allow,deny
deny from all
</FilesMatch >
to block only any mpX and wav

HansH

"HansH" <hansh@invalid.invalid> wrote in message
news:457062f6$0$322$e4fe514c@news.xs4all.nl...
> "Brian Huether" <bhuetherNO@comcastSPAM.net> schreef in bericht
> news:F7KdncvY8Z9bBvLYnZ2dnUVZ_omdnZ2d@comcast.com. ..
>>>> <Files .htaccess>
>>>> order allow,deny
>>>> deny from all
>>>> </Files>
>>> You need to remove the <Files .htaccess> and </Files> line. That is
>>> restricting the deny from all directive to the .htaccess file.
>> I am wonering though if having that blanket deny statement might break
>> other aspects of my site (i.e. I have photos and sometimes give people
>> links to photos, etc).
> For sure it will ....
> Try
> <FilesMatch "\.(mp.|wav)$">
> order allow,deny
> deny from all
> </FilesMatch >
> to block only any mpX and wav
>
> HansH
>

Wow there is so much that I don't know about apache and this sort of stuff.
With the method you talked about, would that prevent downloading? Basically,
I want to allow people to stream but not download.

thanks!

brian

as you prohibit downloading by everyone, the only way to get an mp3 off
the server is by opening it from the filesystem, using php, and then
the php script would be browsed to by the persons browser (rather than
them browsing to the mp3 directly)
so your script does the streaming

"shimmyshack" <matt.farey@gmail.com> wrote in message
news:1165022433.054665.143450@73g2000cwn.googlegro ups.com...
> as you prohibit downloading by everyone, the only way to get an mp3 off
> the server is by opening it from the filesystem, using php, and then
> the php script would be browsed to by the persons browser (rather than
> them browsing to the mp3 directly)
> so your script does the streaming
>

Does the code I am using serve that function?


function GetLink($exid, $type) {
if ((!pnUserLoggedIn()) && ($type != 4)) {
session_start();
$_SESSION['lasturl'] = getenv("HTTP_REFERER");

include("header.php");
OpenTable();
echo "You must be a registered user to access lesson audio. You can <a
href = \"user.php?op=register&module=NS-NewUser\">register</a> now for
free.";
CloseTable();
include("footer.php");
return;
}

if ($type == 0) {
$result = mysql_query("select url, file from nuke_mainlessons_exercises
where exid = $exid");
list($url, $file)=mysql_fetch_row($result);
if ($url == "") {
$link = pnGetBaseURL()."$file";
header("Location: " .$link);
} else {
$link = "$url";
header("Location: " .$link);
}

}

}

"Brian Huether" <bhuetherNO@comcastSPAM.net> schreef in bericht
news:EdydnZx1hvZ4Tu3YnZ2dnUVZ_oSdnZ2d@comcast.com. ..
>> Try
>> <FilesMatch "\.(mp.|wav)$">
>> order allow,deny
>> deny from all
>> </FilesMatch >
>> to block only any mpX and wav
>>
> Wow there is so much that I don't know about apache and this sort of
> stuff. With the method you talked about, would that prevent downloading?
> Basically, I want to allow people to stream but not download.
>
The file can not be requested directly. Request must be made via some (php)
script validating the user.
AFAIK a server cannot controle the clients final usage: listen, view or
store.
IIUC streaming is in fact presenting a file -as a movie or sound- while it
is being downloaded, about like reading a fax while it is printed during
transfer.

HansH

Brian Huether wrote:
> "shimmyshack" <matt.farey@gmail.com> wrote in message
> news:1165022433.054665.143450@73g2000cwn.googlegro ups.com...
>> as you prohibit downloading by everyone, the only way to get an mp3 off
>> the server is by opening it from the filesystem, using php, and then
>> the php script would be browsed to by the persons browser (rather than
>> them browsing to the mp3 directly)
>> so your script does the streaming
>>
>
> Does the code I am using serve that function?
>
>

Not quite. That code does validate the users in the way you want, but
instead of doing the streaming it simply redirects the user to the
file's public URL. If anyone else figures out this public URL, they
will be able to steal your files without authenticating.

What's a good analogy for this? How about this one:

You have a bunch of cash locked up in a vault. You have a person who
sits at the entrance of the vault and checks people's credentials when
they want to get some cash.

What you *want* is for this guy to go into the vault and get the cash
for people if their credentials check out, and bring it back and give it
to them. That way, they can't get into the vault but can still get cash
by asking your vault's doorman.

What you have right now is more like a vault with a doorman who checks
credentials, but the vault only has three walls. Anyone can just walk
around to the other side of the vault and get in because there is no
wall. Which makes it rather pointless to have a vault in the first
place - anyone who figures out that there is no wall on the other side
will have unfettered access to the cash. The doorman is there checking
credentials, but when someone's credentials check out all he does is say
"OK, your credentials are OK. Go around to the other side of the vault
where there's no wall and get your cash."

Is that a clearer explanation?

It seems like you're using a pre-built PHP framework for your site
(phpnuke?) and you probably upload the files through a web interface.
Your real problem here is that your framework is not fulfilling your
needs, and you may need to go outside of it to fix this problem.

Jeremy

"Jeremy" <jeremy@pinacol.com> wrote in message
news:ZE5ch.25759$dC7.24687@newsfe07.phx...
> Brian Huether wrote:
>> "shimmyshack" <matt.farey@gmail.com> wrote in message
>> news:1165022433.054665.143450@73g2000cwn.googlegro ups.com...
>>> as you prohibit downloading by everyone, the only way to get an mp3 off
>>> the server is by opening it from the filesystem, using php, and then
>>> the php script would be browsed to by the persons browser (rather than
>>> them browsing to the mp3 directly)
>>> so your script does the streaming
>>>
>>
>> Does the code I am using serve that function?
>>
>>
>
> Not quite. That code does validate the users in the way you want, but
> instead of doing the streaming it simply redirects the user to the file's
> public URL. If anyone else figures out this public URL, they will be able
> to steal your files without authenticating.
>
> What's a good analogy for this? How about this one:
>
> You have a bunch of cash locked up in a vault. You have a person who sits
> at the entrance of the vault and checks people's credentials when they
> want to get some cash.
>
> What you *want* is for this guy to go into the vault and get the cash for
> people if their credentials check out, and bring it back and give it to
> them. That way, they can't get into the vault but can still get cash by
> asking your vault's doorman.
>
> What you have right now is more like a vault with a doorman who checks
> credentials, but the vault only has three walls. Anyone can just walk
> around to the other side of the vault and get in because there is no wall.
> Which makes it rather pointless to have a vault in the first place -
> anyone who figures out that there is no wall on the other side will have
> unfettered access to the cash. The doorman is there checking credentials,
> but when someone's credentials check out all he does is say "OK, your
> credentials are OK. Go around to the other side of the vault where
> there's no wall and get your cash."
>
> Is that a clearer explanation?
>
> It seems like you're using a pre-built PHP framework for your site
> (phpnuke?) and you probably upload the files through a web interface. Your
> real problem here is that your framework is not fulfilling your needs, and
> you may need to go outside of it to fix this problem.
>
> Jeremy


I have a PostNuke site but I upload audio files via ftp. And I do have a
directory structure outside the web directory. I have forgotten a lot of my
PHP knowledge. For istance, say I have a file called audio.php that contains

<?php

function ServeAudio($file) {

echo $file;
//header("Location: " .$file);

}
?>

To test it, I have a file called audiotest.php that contains

<body>
<a href = "audio.php?op=ServeAudio&file =
<?php
echo "http://blah.mp3";
?>">file</a>
</body>

But I can not get it to successfully enter the ServeAudio function.

thanks,

brian

you are almost right, you must not redirect the user, instead you must
open and echo the file

now that this is getting into the realms of php, why not post to
alt.lang.php
but an extremely simple "streamer" would just be

header("Content-Type: audio/x-mpeg");
echo @file_get_contents($filename);

a better one would chunk the contents just above the bit rate. The
above script gets the whole mp3 in memory which is bad, readilfe,
fpassthru, and so on, all will "do" but there are a tonne of streaming
scripts out there. Watch out for server settings, timeouts and so on.

Of course you will probably want to send a playlist to their media
player, inside the playlist the urls will all point to your
"streamer"/"doorman" script - nice metaphor. You might want to check
out id3 functions so you can provide metainfo to the player too. Check
out phpclasses.org they have all this kind of stuff.

I suppose it goes without saying that you can keep the same urls to the
mp3s that youve always used, so you dont break scripts, just use
rewriterules to split off the mp3 filename and send it to you gateway
script that authenticates and streams, sorry shouldve have put that in
my last post.