In the first post I showed how to setup basic audio player and play a song and left with this important part to show how we can secure our songs and prevent downloads. So lets see how we can make it most secured so that maximum users failed to download or get a direct access to the download link. After writing this, I will hope to hear from you, if there are any better ways we can make a song secured. Please discuss freely, hopefully, it will help others who are seeking same information.
To me best solution is, you have 2 types of songs of same song. One type contains only 30/40 seconds and you let them play on browser and if people want to buy then ask them to use user id and password to get full song access. But if you don’t want to go in that way, follow me here
Main Concept: Let’s not understand the users where they are downloading or where they are playing the song from. I mean lets hide the download location! And then let’s stop direct access to the folder location.
Lets say you have directory name /music where you are keeping all the songs. We will hide this location and will stop the direct access. First of all rename the folder where you are keeping all these secret weapons. (I.e : eTsscXXzwolF) and then create a htaccess file in that directory and put the following codes
Options -Indexes <files *> order allow,deny deny from all </files>
after placing this code in the directory, you will see you can’t get a direct access to the location via browser. So we have protected the direct access but we haven’t hides the directory yet. So let’s do it now…i have got this nice script that hide the location and let you download the file. I don’t need to allow people to download file but I need the location hider. So i modified this script for my needs.
//filename: hide.php // Usage: <a href="hide.php?file=playlist.xml">How to use</a> // Path to hide files (will not be revealed to users so they will never know your file's real address) $hiddenPath = "xrrcOXX/"; // VARIABLES if (!empty($_GET['file'])) { $file = str_replace('%20', ' ', $_GET['file']); $category = (!empty($_GET['category'])) ? $_GET['category'] . '/' : ''; } $file_real = $hiddenPath . $category . $file; $ip = $_SERVER['REMOTE_ADDR']; // Check to see if the hide script was called if (basename($_SERVER['PHP_SELF']) == 'hide.php') { if ($_SERVER['QUERY_STRING'] != null) { // HACK ATTEMPT CHECK // Make sure the request isn't escaping to another directory //if (substr($file, 0, 1) == '.' ¦¦ strpos($file, '..') > 0 ¦¦ substr($file, 0, 1) == '/' ¦¦ strpos($file, '/') > 0) { if ((substr($file, 0, 1) == '.') || (strpos($file, '..') > 0) || (substr($file, 0, 1) == '/') || (strpos($file, '/') > 0)) { // Display hack attempt error echo("Hack attempt detected!"); //die(); } // If requested file exists if (file_exists($file_real)) { $header_file = (strstr($_SERVER['HTTP_USER_AGENT'], 'MSIE')) ? preg_replace('/\./', '%2e', $file, substr_count($file, '.') - 1) : $file; // Prepare headers header("Pragma: public"); header("Expires: 0"); header("Cache-Control: must-revalidate, post-check=0, pre-check=0"); header("Cache-Control: public", false); header("Accept-Ranges: bytes"); header("Content-Transfer-Encoding: binary"); header("Content-Length: " . filesize($file_real)); if ($stream = fopen($file_real, 'rb')) { while(!feof($stream) && connection_status() == 0) { set_time_limit(0); print(fread($stream,1024*8)); flush(); } fclose($stream); } }else { // Requested file does not exist (File not found) echo("Requested file does not exist"); die(); } } }
and now let’s call our previous example to see how we can use it ….
<h3>I Need You</h3> <object classid='clsid:D27CDB6E-AE6D-11cf-96B8-444553540000' width='300' height='24' id='player1' name='player1'> <param name='movie' value='player.swf'> </param><param name='allowfullscreen' value='true'> </param><param name='allowscriptaccess' value='always'> </param><param name='playlistsize' value='180'> </param><param name='flashvars' value='hide.php?file=vol11.mp3&duration=231'> <embed id='player1' name='player1' src='player/player-viral.swf' width='300' height='24' allowscriptaccess='always' allowfullscreen='true' flashvars="file=hide.php?file=vol11.mp3&duration=231" /> </param></object>
Now these songs are more secured than before and if you try to access from the link you get by firebug, it wont work instead you will get a blank page download. You can try it yourself 
and let me know if you have any questions.
I'm Md. Mizanur Rahman (Junal), Freelance web developer. You can call me at +1-905-975-0875 or email me at junal@junalontherun.com
