hiding path to real audio files

kevinsequeira

Hi,
I have a page that reads a .ram file to play an embedded real audio player. Is there a way to hide the .ram file or prevent anyone from reading it so that the physical location of the audio files are not given out and therefore anyone can link to them.
The .ram file is created dynamically after the user selects which audio clips to play.
An help would be appreciated.
reg
kevin

brandonschnell

hide the .ram files out of web directory. refer any references to the .ram files to get_ram.php?file_name=ram_file.ram or whatever php file you want. then use the php file to make sure the user is supposed to get the ram file and open and send the data to the user (send the headers and use include() as an example. many ways to do this). make sure users can't get creative with the .ram file to request another file (ie ?file_name=/etc/passwd would be bad, but a common mistake.)

kevinsequeira

im trying to use php/mysql to serve real audio files. How do i prevent the location of the source files from being displayed.
This is what i have done, i have 2 files, one containing the embedded script for the real player called file1.php and the other generates the src link file2.php

*************file1.php ******
$file = file2.php?list=12345.txt

this prevents the text file from being show in file1.php because it is displayed like this

but its just a matter of pasting the url file2.php?list=12345.txt to get the print out the location in file2.php

is there anyway to hide this ?? ive tried checking for headers on file2.php but it doesnt seem to work cause no headers are passed when this is called <param name="SRC" value="file2.php?list=12345.txt">
Maybe there is another way of doing this or checking for different headers or forcing headers to be passed ??????????

any help would be appreciated, thanks

edspace

There are many ways to protect the files you want. Its just a matter of how creative you want to get and how much time you want to spend.
I will explain a couple of ways you can protect them.

1- You can call file2.php?list=12345.txt&nr=1233e234525e5297e1234

The value for nr is the users ip address in hex. The ideas is this.

$nr = bin2hex($HTTP_REMOTE_ADDR);
Then in the embeded player you echo the url to file2.php with nr=$nr

echo "file2.php?list=$list&nr=$nr";

In file2.php you do the same thing.

$nr2=bin2hex($HTTP_REMOTE_ADDR);

if ( ($nr == $nr2) && $list )
//user came from your site so send the file url

else
echo "please dont leech my files";

The idea is the you encode something personal to every user such as the IP and you send it from file1.php to file2.php. In file2.php you check if that personal encoded string matches with the user and if it does that means that they came from your site.

So the only way for someone to link to your files would be if they got the users IP converted it to hex etc etc. I dont think anyone is going to go through that much trouble and even if they do there is no way they can know what you pass from one file to the other. If you see that someone links to your files u can always change a small part of your code and they will have no way to guess it.

The second way you can hide your files....more secure than the first is by using sessions.

In file1.php you start a session, register a unique variable to the session, and then call file2.php with the session ID.

In file2.php you check to see if that session contains the variable that you registered in file1.php. If the variable exists that means that the user came from your site. If the variable doesnt exist that means that its a leech.

After runing file2.php and sending the url to the user, unregister the variable so that they cannot reload file2.php without going through file1.php.

This is some code to get you started.

file1.php

//start session
session_start();

//register variable
//set it to 1 = true = play file
$_SESSION['play'] = 1;

//output embeded player code here
src="file2.php?list=<?=$list?>&<?=SID?>";

file2.php

session_start()

if ( play==1 && $list ) {
//output file url because user came from website and file1.php
}
else{

  //dont leach my files
 //404 message etc etc

}

//set it to 0 = false = dont play file
$_SESSION['play'] = 0;

Sorry for the mess but i dont have much time and i hope it helps you. After working on this problem for months i think thats the best way to protect the files. I use it on my own website and not a single page has been able to link to my files.