Is there any way to protect your files(php files/images files) from tracking ?? (TeleportPRO, HTTrack, etc)
-Thanks for your time!
HTTrack crawls through your website then downloads and follows all the links it finds. So anything that a user using a browser will see is what this program will see.
PHP is server side so all the client gets is the html your produce so you do not have to worry about anyone getting your source code with a program like HTTrack. The only way to get your source would be for a attacker to get direct access to the files with ftp/on the system itself...
And as your users will be able to see your images the program will download the images but how would this affect you? If you are selling the images, you could access them through a .php file that checks if the currently logged-in user has purchased the image and then and only then show it. But for images that are part of your layout/template, it is quite normal for everyone browser etc. to download it. Those programs just download them for local viewing.
Related
I am showing PDF, Video file preview in my web application, but i want to give only read access to users, no one can`t download PDF & video files, I want to prevent users, how can we prevent users to download it using PHP ? only they can view, please share you ideas as soon as.
Thanks
Any content that is shown on the client's side, technically speaking, already downloaded to the user's machine. If the user is seeing the PDF file - it's already been downloaded.
For video: it's not that straightforward, you can organize a streaming of the video. It'll be fairly more complex for the user to download it as one file, but still, can be captured.
I have a folder full of images on my server where my mobile app accesses them.
www.mysite.com/images/image001.jpg
Whoever has this link now can access the files. Also can comprehend that the images are in a certain order and thus guess the pattern etc...
The image links are gotten via the php inside the app that use token to verify the user is legit and indeed the request is coming from a mobile that has downloaded the app.
What I want to do is to secure the folder from external access and prevent people from accessing the folder and seeing everything from a browser and limit its access only via the php file.
I have used the trick of .htaccess with deny from all so that it show the forbidden message whenever someone visits from the web, however, all my JSON requests also do not work now.
What can I do to accomplish this?
You will have to serve the images with a PHP script that also checks that access is permitted.
Once you've done this you can simply store the images outside the web root, which makes them inaccessible from the web, except through the PHP file that serves them.
best option is to make the pic links randomized and un-guessable
so a pic link would look like this:
www.mysite.com/images/8Md9FhD1hANdIBUz4WVCzKR227fykTByq6SKHas5FyYJDr2EjAlIn1bS0f5gPJih.jpg
youtube use this method for "private" videos
users / bots cant be accesses randomly, and you cant guess the next pic.
when the user is authenticated display the link. the worst thing that can happen is that this user can share that link, (he can download and share not matter what you do)
when you save the picture on your server just randomize the name.
There are different user for my website, and for each user there are separate PDF files, I want to give users privilege to download their files(but should not see the files of others users). Now I have created a login and I have the user-id in SESSION (I am using PHP for backend). So what is the secure way of accomplishing this task? Also how should I manage many of these PDFs on my server? (currently I have kept all the PDFs in one folder, but this seems insecure and I think these can easily be extracted by the un-authenticated user)
At a high level:
Store your PDFs outside of your webserver document root. Make them completely inaccessible to direct browser access.
Write a PHP script to handle download requests. This PHP page can check the session user ID to ensure the user is requesting a file that they are allowed to access.
Use header() calls and readfile() to then send the appropriate PDF file to the user.
Feel free to come back and post a question when you've researched and worked on this, and have a specific question with code.
I have a website when requires the user to be logged in to access the contents. I need to embed some music player which can play some mp3. But the mp3 download link cannot be public, so is there any way to pass the PHP session to any flash based players so that the user can listen to it.
Edit: I would want a ready made flash player which has this functionality. Ideally something like the yahoo media player which can be embedded easily
First, you need to remember that if you're serving MP3 files via straight download (not streaming) anyone can simply download the file and then share it (even if the originally-used URL itself expires). So if you really need to protect your files, then use e.g. Flash Media Server to stream the files.
If you don't need that level of protection, you can still protect the link. Instead of linking the media player directly to your MP3 file, link it to a .php script that serves the MP3 file. The PHP script will check the session; if it's valid, it will serve the correct file; otherwise, it will serve a this link is expired MP3. Here's a topic covering that.
Again, though, if you're serious about protecting the files you need to use a streaming server.
I know it's practically impossible to not allow a user to download an mp3 file with all the various methods out there. But I'm stuck in a situation where i need to make things slightly more private/secure for my customers.
Here's my problem, I'm currently using this flash mp3 player http://www.flabell.com/flash/Flash-Mp3-Player-29 to stream/play the songs. The player uses xml for settings & playlist. I'm also using WordPress & the S2Member plugin.
I'm trying to allow the player to play songs but yet do not allow users to download/opening the direct links to the files. (eg: songs are located at domain.com/player/songs/*.mp3, script is in a level up). Is there a htaccess method to deny direct access but yet allow (local) scripts to call the file?
Also, I mentioned about S2Member plugin for WordPress.
The WordPress plugin has a built in restriction to as where logged in users can download files that are hidden from open access. So in order to download a song, u'll have to use domain.com/s2script_download?file=mysong.mp3.
The folder that hosts the files has a .htaccess with a "Deny All" in it. Is it possible to reuse this folder to play/stream songs with the flash player mentioned above?
To the best of my knowledge this isn't possible. Yes, it's possible to deny access to the outside world, while allowing access to local scripts. But Flash isn't a local script. All things being equal, a Flash app requesting a file is no different than a browser requesting a file. You can't block one without blocking the other.
The only solution that even comes to my mind is having the Flash app request the file with a special query string, i.e. /somesong.mp3?fromflash. Off course that won't stop most people from getting the song, but it could stop some people.