Protecting mp3 files on website?

I have a website where I host guitar lessons. I force people to register in
order to listen to audio. But I don't think I am using a good method for
protecting the files and preventing people from reverse engineering to
figure out the link. For instance, the files are located at
www.mysite.com/myaudio/

Here is the code I use to process the the audio links:


function GetLink($exid, $type) {
if ((!pnUserLoggedIn()) && ($type != 4)) {
session_start();
$_SESSION['lasturl'] = getenv("HTTP_REFERER");

include("header.php");
OpenTable();
echo "You must be a registered user to access lesson audio. You can <a
href = \"user.php?op=register&module=NS-NewUser\">register</a> now for
free.";
CloseTable();
include("footer.php");
return;
}

if ($type == 0) {
$result = mysql_query("select url, file from nuke_mainlessons_exercises
where exid = $exid");
list($url, $file)=mysql_fetch_row($result);
if ($url == "") {
$link = pnGetBaseURL()."$file";
header("Location: " .$link);
} else {
$link = "$url";
header("Location: " .$link);
}

}

}

After the command is successful, Media Player laucnes and shows the name of
the file. So if someone knows the file is at www.mysite.com/myaudio/ then
they can just append the audio clip name to that url and access the audio.
What is the proper way to do this?



thanks,


brian

Brian Huether wrote:
>
>
> What is the proper way to do this?
>
>
>
> thanks,
>
>
> brian
>

I think you should store the audio *outside* of the web directory, so it
is not accessibly by any URL. Then, once you've done this, you add a
PHP script which will be the *only* gateway to the audio files. Here's
some pseudocode for the PHP:

checkUserCredentials();

if(validUser)
{
//inform user agent of type
header("Content-Type: audio/mpeg");

//dump file contents to user agent
//the file path could be taken from the database
//but it should always be validated - see dirname() function
putfile("/my/arbitrary/directory/myfile.mp3");
}
else
{
//display error page
header("HTTP/1.0 403 Permission Denied");
print "You didn't sign up, you big fat hacker!";
}


Jeremy

"Jeremy" <jeremy@pinacol.com> wrote in message
news:lyKbh.235$B42.184@newsfe12.phx...
> Brian Huether wrote:
>>
>>
>> What is the proper way to do this?
>>
>>
>>
>> thanks,
>>
>>
>> brian
>
> I think you should store the audio *outside* of the web directory, so it
> is not accessibly by any URL. Then, once you've done this, you add a PHP
> script which will be the *only* gateway to the audio files. Here's some
> pseudocode for the PHP:
>
> checkUserCredentials();
>
> if(validUser)
> {
> //inform user agent of type
> header("Content-Type: audio/mpeg");
>
> //dump file contents to user agent
> //the file path could be taken from the database
> //but it should always be validated - see dirname() function
> putfile("/my/arbitrary/directory/myfile.mp3");
> }
> else
> {
> //display error page
> header("HTTP/1.0 403 Permission Denied");
> print "You didn't sign up, you big fat hacker!";
> }
>
>
> Jeremy

What do you mean by 'outside' the web directory? My base directory is
public_html. Do you mean outside of that?

thanks,

brian

Brian Huether wrote:
> "Jeremy" <jeremy@pinacol.com> wrote in message
>> I think you should store the audio *outside* of the web directory, so it
>> is not accessibly by any URL.
>
> What do you mean by 'outside' the web directory? My base directory is
> public_html. Do you mean outside of that?
>
> thanks,
>
> brian
>

Do you have access to anyplace on the filesystem other than public_html?
Like a home directory, or the directory right above public_html?

If so, you can put them there. The goal is to have them in a place
that's on the system, but not available via your web site.

If you don't have such a location on the system to which you can write,
you can artificially deny access to your audio directory (and once
again, only allow downloads by proxying them through a PHP script). If
your server supports overrides in a .htaccess file, try creating a file
called ".htaccess" in your audio directory and add the following lines
to it:

Order allow,deny
allow from none
deny from all

That will deny anyone direct access to your audio files.

Jeremy

"Jeremy" <jeremy@pinacol.com> wrote in message
news:5ELbh.11409$dC7.2032@newsfe07.phx...
> Brian Huether wrote:
>> "Jeremy" <jeremy@pinacol.com> wrote in message
>>> I think you should store the audio *outside* of the web directory, so it
>>> is not accessibly by any URL.
>>
>> What do you mean by 'outside' the web directory? My base directory is
>> public_html. Do you mean outside of that?
>>
>> thanks,
>>
>> brian
>
> Do you have access to anyplace on the filesystem other than public_html?
> Like a home directory, or the directory right above public_html?
>
> If so, you can put them there. The goal is to have them in a place that's
> on the system, but not available via your web site.
>
> If you don't have such a location on the system to which you can write,
> you can artificially deny access to your audio directory (and once again,
> only allow downloads by proxying them through a PHP script). If your
> server supports overrides in a .htaccess file, try creating a file called
> ".htaccess" in your audio directory and add the following lines to it:
>
> Order allow,deny
> allow from none
> deny from all
>
> That will deny anyone direct access to your audio files.
>
> Jeremy

I have this line in my .htaccess file but people can still access audio

<Files .htaccess>
order allow,deny
deny from all
</Files>

If they type the audio directory they will see an index listing.

brian

Brian Huether wrote:
>
> I have this line in my .htaccess file but people can still access audio
>
> <Files .htaccess>
> order allow,deny
> deny from all
> </Files>
>
> If they type the audio directory they will see an index listing.
>
> brian
>
>

You need to remove the <Files .htaccess> and </Files> line. That is
restricting the deny from all directive to the .htaccess file.

Jeremy

"Jeremy" <jeremy@pinacol.com> wrote in message
news:YVMbh.4780$Vu4.906@newsfe10.phx...
> Brian Huether wrote:
>>
>> I have this line in my .htaccess file but people can still access audio
>>
>> <Files .htaccess>
>> order allow,deny
>> deny from all
>> </Files>
>>
>> If they type the audio directory they will see an index listing.
>>
>> brian
>
> You need to remove the <Files .htaccess> and </Files> line. That is
> restricting the deny from all directive to the .htaccess file.
>
> Jeremy

I am wonering though if having that blanket deny statement might break other
aspects of my site (i.e. I have photos and sometimes give people links to
photos, etc).

thanks,

brian

You cannot simultaneously have files in a web accessible directory AND
expect to be able to deny access to them in any meaningful way, you
will have to follow the advice given, deny access by physically moving
them, or (less good) by using .htaccess, then writing a gateway script
that handles the "other aspects" that you talk about, as well as
streaming to registered users.

On a separate point if people are expected to listen online rather than
download. If you have access to install modules or turn new ones on
have you tried mod_bw or another bandwidth controlling module. I use
this myself to limit audio files (speech at a certain average bitrate)
to just above what is needed. I know its not as advanced as using rtsp
to stream the audio, but it does stop someone from bothering to
download them all, (once they are registered and have access) because
it would take months to do it.
If you dont have the permission to do this, than you can read the files
in chunks timed according to bitrate to give the right download time
using php.

One more thing, do you protect against SQL injection, such as
mysql_real_escape or LIMIT, you should be careful of this type of thing
to, and needless to say there are a million other ways that
unregistered users can get access to those files if they spot something
while scouting round other parts of your site like the log page and
contact page etc...

"Brian Huether" <bhuetherNO@comcastSPAM.net> wrote in message
news:KMOdneEhker4HfLYnZ2dnUVZ_qydnZ2d@comcast.com. ..
>
> What do you mean by 'outside' the web directory? My base directory is
> public_html. Do you mean outside of that?

When a file is served directly by Apache (as you are doing now), the
directory involved has to be specified in the Apache configuration file.
Apache then makes the security decisions about whether it can serve it or
not.

However, when a file is served by an executable (a PHP script, a CGI-BIN, a
Perl script, etc.) it doesn't need to be something that Apache knows about.
All that is required is that the Unix permissions be OK so that user
"apache" (or however your system is set up) can access the file.

The file can be outside of anything defined in the Apache configuration
file, but the permissions must be set up so that the script can access the
file.

When a script serves a file, i.e.

http://www.mydomain.com/guitar_lesson_1.php

or

http://www.domain.com/guitar_lessons.php?lesson=1

or similar, what is really happening is that the script generates "dynamic"
output to send to the browser. The browser does not treat this any
differently than static content.

To "generate dynamic content" can mean a lot of things. It can mean the
results of a database query; or (as in your case) it can mean a file that
was chosen from the server.

The pseudo-code for your script should be:

if (user is logged in && meets other criter)
give them the file;
else
give them a message telling them why you can't give it to them;

Dave.

Brian Huether wrote:
> "Jeremy" <jeremy@pinacol.com> wrote in message
>> You need to remove the <Files .htaccess> and </Files> line. That is
>> restricting the deny from all directive to the .htaccess file.
>>
>> Jeremy
>
> I am wonering though if having that blanket deny statement might break other
> aspects of my site (i.e. I have photos and sometimes give people links to
> photos, etc).
>
> thanks,
>
> brian
>
>

That's why you put these lines in a .htaccess file *in the directory
with the audio*. That way, it will only affect the audio directory and
the directories underneath it in the directory tree. Just make a
separate directory for your audio and nothing else. No photos, just
whatever files you want to deny people access to.

I.E:

- public_html
|
|---- /audio
|---|--- .htaccess (contains the deny from all directive)
|---|--- file1.mp3
|---|--- file2.mp3
|---|--- whatever_else.mp3
|
|---+ /photos
|---|--- photo1.jpg
|---|--- photo2.png
|
|--- index.html
|--- audio.php

In this example, all the files in the /audio directory are protected
from access. audio.php takes a parameter which specifies the desired
file; it checks user credentials, validates the parameter and figures
out the filename and then calls putfile("audio/$filename") which dumps
the contents of the file to the browser. Since the actual files are
protected from outsiders but the audio.php script has access to them,
this allows people to download the files only after submitting to the
authentication methods contained in audio.php - whatever they may be.


Jeremy