MASK URL with PHP


#1

Hi,

I found this really cool mp3 lister script, but was wanting to customise it a little. I want to mask the URL of the mp3s that can be downloaded. Like encrypt them or whatever, as long as people cant see where they are located.

Any ideas please? Any help appricated!

[This is the link to the code as its too long to post here.]

http://www.thetimezone.co.uk/code.txt


#2

I’ve had to write code similar to this before (though it was with a program and not with mp3s). What my boss decided on (was cheaper than paying me to do it the other way, which I’ll explain in a sec) was getting me to write a script that takes his program from a secure location (not in the wwwroot) and copies it to a random name in the downloads folder, linking to it on the page. If any of the timestamps on these programs are more than 15 minutes old (they would take about 5 mins to dl at 56.6 so 15 mins is the time I chose) they get deleted.

The other way to do it (if you are using apache) is with .htaccess. I don’t think it will take you too much more time, but for the life of me I couldn’t get it working properly, so I’ll refrain from giving bogus advice. Google for .htaccess and you’ll find stuff right away.


#3

I made a secure pdf download by uploading the PDF into a MySQL DB and then having a secure log in that checked the purchase against another DB entry to determine eligibility. It sent a mail with link and the PDF was downloadable for 24 hours. Since the pdfs were 5-15 MB and there were several hundred, I don’t see why this wouldn’t work for mp3s.


#4

That still doesn’t answer the main question. How’d you make the link you gave them to download from secure? How’d you make it last only 24 hours? These are the two important steps. Obviously we can all make a script that requires a user to give a username/password before showing them the link - but how do we make sure the link isn’t going to be accessed by other people (by guessing the url, for example, though that isn’t as likely as brute force methods for finding it)?

.htaccess is the answer to these problems, but I couldn’t get it to work properly. If someone has found a way to use .htaccess with PHP successfully to create a secure download script, let me know. I’d love to see how you did it.


#5

Lookup mod_mysql if you want to use Apache and .htaccess.

As far as the time limit:
I generate a username, password and time - and use a secret word to make an md5 hash. These are stored in the DB. When a user clicks on a link sent via email, the hash and time are passed. They log in, and a new hash is made from their time, user and pass and compared to DB hash. If they match and time is less than 24 hours, pull the binary from the DB and pass it on.


#6

Hey ManiacalV,

One of the things I will need to do is to convert several data fields into a PDF report for download. I’m a beginner at this stuff. Do you have any links or tips that would get me started at learning how?

Thanks


#7

Actually, I have never even looked at the PDF functions, so I can’t really help you there… sorry.


#8

Then what did this mean?

Sorry if its a dumb question. I just saw the reference and made an assumption.


#9

You can store binary data in a mysql database. This is pretty secure since the file isn’t physically stored in a folder on the drive that is accessable. You have to actually call the data from the DB and rebuild it, and allow the user to download it. If your security is tight on the login, then they’re not going to get the file unless they are logged in.


#10

Is there any kind of tutorial out there that you know of for that? That sounds very much like what I need to do.