I have flash player in my web site for playing the mp3 files.But if someone uses "viewsource" or any browser tools such as firebug, then they can find the parameter and then sort out the actual mp3 file url.I am using php in my back end. There should be someway to hide these parameters but couldn't figure out how?
Any ideas?
Preface: If you show it on the web you can steal it. Period.
That said, you can make it a lot harder by masking the URL of the file by passing it through a php script that does two things:
1) Translates an encrypted GET parameter which can be validated AND can be used only once (store the variable in a database or log). This code will be created when the player is loaded, and once it's started buffering the file cannot be used again. This way the parameter cannot just be a random string (it has to be decryptable) and the user cannot just use the same URL.
The php in the html page the user would receive would look something like:
$key = 'My EnCyption Key';
$unique_string = "Generated at ".time().$_SERVER['REMOTE_ADDR']; //the time element changes the string each time and the IP address controls for multiple users simultaneously loading the same page
$tolken = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, md5($key), $string, MCRYPT_MODE_CBC, md5(md5($key))));
and then then the flash player would be set to use the mp3 file:
http://yoursite.com/mp3/file_fetcher.php?file_id=123&tolken=<?php echo $tolken;?>
The file file_fetcher.php would have something like this (obviously this requires some fleshing out):
$fixed_string_part = "Generated at ";
$decrypted = rtrim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256, md5($key), base64_decode($_GET['tolken']), MCRYPT_MODE_CBC, md5(md5($key))), "\0");
if (substr($decrypted,0,strlen($fixed_string_part))!=$fixed_string_part){
die("Your tolken is invalid");
}
//check that the tolken hasn't been used before:
$check_query = mysql_query("select * from `mp3_tolken_log` where `tolken`='$decrypted';",[connection identifier]); //write this more cleanly
if (mysql_num_rows($query)){
die("You've already used that tolken!");
} else {
$log_it = mysql_query("insert into `mp3_tolken_log` (`tolken`,`dateadded`) VALUES ($decrypted,NOW())"); //make sure it's in there so it can't be used again
}
//now get the file if we haven't already died
$contents = file_get_contents([path/to/mp3/file/specified/by/id/$_GET['file_id']]);
header('Content-Type: audio/mpeg');
echo $contents;
2) Check that the referring site is your own site (rather than them trying to access the script directly). Something like:
if (!isset($_SERVER['HTTP_REFERER'])){die("Restricted Access!");};
$_u=parse_url($_SERVER['HTTP_REFERER']);
$_u=preg_replace("/(www.)/i","",strtolower($_u['host']));
$_i=$_SERVER['HTTP_HOST'];
$_i=preg_replace("/(www.)/i","",strtolower($_i));
($_u == $_i) or die("Restricted Access!");
Of course this information can be faked, but between it and the single-access pass you shouldn't have to worry about direct downloads. That said, remember that there are a million ways to get the file from the stream, and there's just no way to stop that.