In the first post I showed how to setup basic audio player and play a song and left with this important part to show how we can secure our songs and prevent downloads. So lets see how we can make it most secured so that maximum users failed to download or get a direct access to the download link. After writing this, I will hope to hear from you, if there are any better ways we can make a song secured. Please discuss freely, hopefully, it will help others who are seeking same information.
To me best solution is, you have 2 types of songs of same song. One type contains only 30/40 seconds and you let them play on browser and if people want to buy then ask them to use user id and password to get full song access. But if you don’t want to go in that way, follow me here
Main Concept: Let’s not understand the users where they are downloading or where they are playing the song from. I mean lets hide the download location! And then let’s stop direct access to the folder location.
Lets say you have directory name /music where you are keeping all the songs. We will hide this location and will stop the direct access. First of all rename the folder where you are keeping all these secret weapons. (I.e : eTsscXXzwolF) and then create a htaccess file in that directory and put the following codes
Options -Indexes <files *> order allow,deny deny from all </files>
after placing this code in the directory, you will see you can’t get a direct access to the location via browser. So we have protected the direct access but we haven’t hides the directory yet. So let’s do it now…i have got this nice script that hide the location and let you download the file. I don’t need to allow people to download file but I need the location hider. So i modified this script for my needs.
//filename: hide.php // Usage: <a href="hide.php?file=playlist.xml">How to use</a> // Path to hide files (will not be revealed to users so they will never know your file's real address) $hiddenPath = "xrrcOXX/"; // VARIABLES if (!empty($_GET['file'])) { $file = str_replace('%20', ' ', $_GET['file']); $category = (!empty($_GET['category'])) ? $_GET['category'] . '/' : ''; } $file_real = $hiddenPath . $category . $file; $ip = $_SERVER['REMOTE_ADDR']; // Check to see if the hide script was called if (basename($_SERVER['PHP_SELF']) == 'hide.php') { if ($_SERVER['QUERY_STRING'] != null) { // HACK ATTEMPT CHECK // Make sure the request isn't escaping to another directory //if (substr($file, 0, 1) == '.' ¦¦ strpos($file, '..') > 0 ¦¦ substr($file, 0, 1) == '/' ¦¦ strpos($file, '/') > 0) { if ((substr($file, 0, 1) == '.') || (strpos($file, '..') > 0) || (substr($file, 0, 1) == '/') || (strpos($file, '/') > 0)) { // Display hack attempt error echo("Hack attempt detected!"); //die(); } // If requested file exists if (file_exists($file_real)) { $header_file = (strstr($_SERVER['HTTP_USER_AGENT'], 'MSIE')) ? preg_replace('/\./', '%2e', $file, substr_count($file, '.') - 1) : $file; // Prepare headers header("Pragma: public"); header("Expires: 0"); header("Cache-Control: must-revalidate, post-check=0, pre-check=0"); header("Cache-Control: public", false); header("Accept-Ranges: bytes"); header("Content-Transfer-Encoding: binary"); header("Content-Length: " . filesize($file_real)); if ($stream = fopen($file_real, 'rb')) { while(!feof($stream) && connection_status() == 0) { set_time_limit(0); print(fread($stream,1024*8)); flush(); } fclose($stream); } }else { // Requested file does not exist (File not found) echo("Requested file does not exist"); die(); } } }
and now let’s call our previous example to see how we can use it ….
<h3>I Need You</h3> <object classid='clsid:D27CDB6E-AE6D-11cf-96B8-444553540000' width='300' height='24' id='player1' name='player1'> <param name='movie' value='player.swf'> </param><param name='allowfullscreen' value='true'> </param><param name='allowscriptaccess' value='always'> </param><param name='playlistsize' value='180'> </param><param name='flashvars' value='hide.php?file=vol11.mp3&duration=231'> <embed id='player1' name='player1' src='player/player-viral.swf' width='300' height='24' allowscriptaccess='always' allowfullscreen='true' flashvars="file=hide.php?file=vol11.mp3&duration=231" /> </param></object>
Now these songs are more secured than before and if you try to access from the link you get by firebug, it wont work instead you will get a blank page download. You can try it yourself 
and let me know if you have any questions.
I'm Md. Mizanur Rahman (Junal), Freelance web developer. You can call me at +1-905-975-0875 or email me at junal@junalontherun.com
Junal, beside that there is another quick way to prevent direct access to the music files. For example, when your player loads the song data, send some secret header info in it, or you can just use that HTTP__X_FORWARDED_FOR, to check that this request is actually made from your site's flash player.
And then, in htaccess prevent hotlinking and direct access to the music file
then it will be quite secured (not fullproof, there are many spoofer availables)
Thanks Hasin bhai! I have learned a new thing
great post and it's now really hard for the users to get the audio files downloaded. but still i think i can get the file from the flash player cache in my local temp dir and rename that file to .mp3 and it should work
finding the file is not too difficult as i can sort by creation time and then see if the filesize changes while the player is streaming. there's infact no way if u cash streams and depend on the flash audio player and u have to cash streams for better user experience. you can change the file and put some wrong data inside the files and let your player skip those portions while playing.
Seems I am going to use this technique in my current project for audio gallery.