I know this question is silly.
But as per our intelligent Client request, I am not able to answer his question. Any one help for this.
We are building a online tutoring site. where it contains pdf, .ppt, .doc formats files are uploaded for reading as course materials. His (Client) request is that user can read all the contents but they must not download the materials and use this.
That is all the documents must be opened in their browsers.
Is it possible? Any other ideas?
Any other ideas?
Explain to your client that the only way for a document to appear on a user's computer screen is for the document to exist on that user's computer.
In other words, viewing a document involves downloading it. Even supposing the software on the user's computer somehow makes it impossible for the user to directly manipulate an electronic copy of the material, the user can take out a digital camera and take a picture of the screen.
There are ways to make it difficult for the user to save a copy of the file. However, it's likely that this will do more harm (frustrating users) than good (preventing theft).
Some users may want to peruse the material at times when they do not have an internet connection, or may want to copy it onto their mobile device (for instance), but accessing the internet on their mobile device is expensive so they would like to do the download on their computer.
If you send the data to the client the client has effectively downloaded it. You can make this difficult, but not impossible.
The only sure way to prevent downloading is to prevent viewing.
If this is a copyright problem it should be solved with legalese, not software.
Here are some guide-lines you may consider:
Don't put direct link of files such as:
Download
Instead, try to generate your pdf dynamically or put a another encrypted medium for
downloading eg:
Download
2: Don't allow directory browsing, use htaccess file with following commands:
Deny from ALL
3: Not sure, but you may possibly allow file opening this way too:
$filename="/path/to/file.jpg"; //<-- specify the image file
if(file_exists($filename)){
header('Content-Length: '.filesize($filename])); //<-- sends filesize header
header('Content-Type: image/jpg'); //<-- send mime-type header
header('Content-Disposition: inline; filename="'.$filename.'";'); //<-- sends filename header
readfile($filename); //<--reads and outputs the file onto the output buffer
exit; //and exit
}
Note: above is just an example of image not pdf but you can modify it for your needs.
An online site does not necessarily mean it is a web site. You could write a custom client that accesses the data and displays it.
The data would need to be encrypted between the client and the server. It probably should not be sent 'in bulk' either.
The effort associated with developing that is prohibitive.
You could license the software that allows users to read books, page by page, that is part of the Safari Books Online web site.
As best I can tell, they take the pages that they are going to display and turn them into small images. These images look as if they are sent in a random order, and assembled by the browser via javascript.
These tactics won't stop a determined person from getting your clients content... but the effort is unlikely to be worth it.
You could put the docs into Google docs and embed the docs viewer into your site. Of course, there's no stopping people from taking screenshots, copy/pasting text, downloading HTML, etc.
What do you mean by "read" but not "download"?? Do you know that even if you disable cache (which by itself is a bad idea) won't restrict an eaaaasy right-click>view source, "save target as", etc.?
I mean, the best you can have is a flash reader that is harder to save the content from, and that means disabling selection and copying, but anyway, it doesn't forbid anything.
The only way to forbid download is to return HTTP 403 :)
Related
I am building a site similar to thefuture.fm. DJs are able to upload MP3 files and set if the file only can be streamed or streamed and downloaded.
Visitors to the site don't have to login to listen to music. They should be able to stream/download these MP3 songs depending on the users settings.
I am using the jPlayer to play songs. I have searched all over the web but can't find any solution. Does jPlayer have any facility like prevent downloading of MP3 files? Or is there any way I can prevent this?
It's actually impossible to prevent downloading. You can make it harder for somebody, but he still needs to download all the data to hear the song. So even if you use some encryption to send the data to a flash player you write yourself, the player will have to decrypt it and play the audio. And since you can decompile flash it wouldn't be to hard to find out the algorithm. He could also just record the music again when playing it (similar to the first DVD decrypt tools, who just took a screenshot 30 times/sec to pass million dollar security measurements)
So the goal is to make it harder, not impossible.
Personally I would go for temporary available links in combination with a cookie, so I can still use jplayer and don't have to reinvent the wheel. Also use some obfuscating to make it harder to read the URL.
When somebody request the main URL (where you show your player) generate a unique key and save it in a cookie. The unique key should link to the IP address and request time stored in session.
Now create a link to the music file like playfile.php?file=music.mp3 or whatever. Just make sure that PHP will handle the file request. If you obfuscate this link it will be a little harder to find it.
In playfile.php check for the unique code in the cookie and check if it matches the IP address in session and the request time is less then EG 15 seconds (any longer and music won't play anyway with slow internet connection). If it is, stream the file. If it's not, block it.
Now if somebody would write a program/script to download the music, he can. But if somebody has the knowledge and time to do that, nothing will stop him from downloading it.
This will prevent any normal user from downloading it.
Preventing hotlinking is a bit easier, since in general you'll have a referrer string to check. If this is present then you'll know not to serve the content. Here is a code example.
Preventing downloading on the other hand is much harder - the best approach would be for a Flash application to decrypt data in realtime - if you use a simple encryption scheme, most client hardware should be fast enough. I couldn't find much for this on the web, so I wonder whether you'd have to do some Flash/Flex development yourself: download MP3 data in chunks, apply decryption routines from a library, and send them to some sort of MP3 decoding buffer. I suspect the password would be hard-coded.
Addendum: I've found that in later versions of Flash you can play dynamically generated sounds from a buffer (see here). So, if you're willing to get stuck into some Flash/Flex development, a solution is in sight. I couldn't find anything that accesses low-level MP3 routines, but don't forget that files don't have to be MP3 as transmitted from your server - convert them to whatever your app needs.
What you are searching for can't be achieved with JavaScript solution. If you want javascript to play something, it has to download it and in order to download it, JavaScript needs a URL.
Most common way to tackle this problem is using Adobe Flash and making a player in it. You can make your player stream content (mp3 in your case) without explicitly exposing actual data location to user.
Put the file(s) in a location that isn't accessible from the browser and use PHP to stream them out as a series of chunks using HTTP/1.1 206 Partial Content. Then use a method like this to edit the context menu to add/remove the 'save as'.
Use a session var to eliminate direct linking.
Actually, there is a player that DOES scramble the url and it works pretty good. We used it because of this excellent feature. It is not impossible to download/save the audio, but at least it is not a matter of just opening the inspector and copying the url. It also prevents from sharing to outside sources by URL. So, contrary to the above, it IS possible and it IS available :)
Check the plugin out here:
https://wordpress.org/plugins/mp3-jplayer/
I am developing a website with php that is about uploading and selling/buying pdf documents. Of course, I need to program it in a way that makes it impossible (or at least very hard) to copy the purchased documents.
Do you know of any mechanism to do this? Is it a programming issue or rather a pdf issue? Also, are there maybe other file types that you recommend that are better for this purpose than pdf? Maybe there should be another solution than downloading the pdf files but rather only viewing them in a browser?
Thank you!
Charles
EDIT
Maybe some more information is needed: The users on the website will upload the pdfs themselves, so there is no way to create the pdfs only when they are downloaded, as they are purely user generated input.
I believe password/certificate protected pdfs are an option, though iirc they require certificate verification (so Adobe Acrobat loads a certificate and verifies it against your server on each viewing). This can require a lot of faffing by the purchaser, and may put some people off the service.
I'd just generate the pdfs at purchase-time and embed the purchasers details (address, email, etc) visibly inside the pdf (don't do it just secretly as it would probably violate privacy laws in some countries, though you should embed a private 'transaction id'), and in it's metadata. This way it provides both a disincentive to sharing (in that either their details will be shared with others, or that they will have to take the effort to remove them (which is difficult for the average user if you place edit-locks in the file)).
It also potentially allows you to identify and block the user from additional purchases if you do find a shared document online.
As per question edit... It's possible to make automated edits to pdf documents through the use of Ghostscript. (may need integration with something like IMagick or other software depending on the type of edits you wish to apply)
I would embed them in my web-page. When the user downloads the document you loose control over it. (unless you implement some fancy DRM solution)
Simple way to go would be to use something like Flex Paper or other online viewers.
Create a page that verifies if a user is logged in for example and has the rights to download the PDF.
Try something like this when serving the file to the user, if you are using PHP for example:
header("Content-Type: application/force-download");
header("Content-Disposition: attachment; filename=\"file.pdf\");
I have decrypted my audio file, I now want to play it and then unlink it.
What I currently have is:
<?php
$destination = "/tmp_upload_dir_copy/test.mp3"
header('Content-Type: audio/mpeg');
readfile($destination);
unlink($destination);
?>
Anyone have any ideas what I'm doing wrong or what else do I need?
maybe I need to use fpassthru() ?
PHP works only server side. You can only guarentee the file is SENT to the client, but there is no way to directly make sure it has been PLAYED by the client.
Setting the header will only influence how the browser treats the data (in this case the browser is informed the data is audio). Chrome, for example plays audio files but some browsers may give users a download prompt.
You'll need client side software, like a audio playing component (search "Flash MP3 player") to embed in a page to play the audio file.
Sounds like you don't really want to delete the file immediately, as any number of things could go wrong on the user's end between downloading the mp3 and actually playing it. The user might need to initiate the file transfer again in many cases. Instead you might want to set up a cron job that runs every night and deletes the mp3 files that are more than one day old. (Also, I'm not sure what you meant by "decrypt" the audio file.)
I'm currently developing a game using PHP and MySql.
I'd like to allow users to be able to show images using a BBCode parser (NBBC) but i've been made aware of a potential security problem.
Allow me to explain:
The user enters a URL into a textarea box using code such as [img]http://example.com/image1.png[/img]
The user can then edit image1.png on the external server into a server side script that stores the user information (ip ect) and so forth.
User uses information to do some potentially nasty stuff!
My question is, how do we prevent this from happening and protect the users details when detailing with external sources?
The obvious answer is to only allow uploads to your site, but in this case, that really doesn't seem too practical.
Appreciate any help!
Actually you can by changing
[img]http://example.com/image1.png[/img]
into something like:
<img src="http://yourserver/proxy.blah?url=example.com/image1.png" />
So that your proxy would load the image instead of the user.
You can't because to your script it will look like a genuine image and there is no way of detecting anything different.
Any body can use .htaccess/ForceType to change the execution type of any file, grab user information and serve up an image in response.
I wrote a simple script for rotating images in a users forum signature many moons ago and it demonstrates this process: http://blog.simonholywell.com/post/374221718/flickering-images
You don't.
The only information the malicious user will be able to get is user's IP address and referrer URI, so you only need to make sure that nothing valuable is transmitted by it, (like session id, which you can bind to IP address or transfer via cookies).
It wouldn't even be necessary to turn that image into a script. The remote server's access log would capture the image request as it would any other request to a server. IP, browser UA, referer, etc...
If you allow external resources in user-provided data, you have no control whatsoever over how those resources are processed. If this image was for an Avatar (say), then nothing says the remote user can't make their avatar a puppy initially, then change it something nasty later on after the initial puppy picture's been approved.
Nothing says that the user couldn't point the avatar URL to a server they don't own themselves, in which case that other server's operator would get annoyed at the bandwidth theft and make the avatar picture into a Goatse-type image to get back at the bandwidth thief.
In short, if you allow external resources, you lose control. Keep everything in house where you can keep tabs on it.
Despite the responses saying this isn't a problem, it is. There are several ways to create a malicious image file that executes on the user's PC. You also have no control over whether the user's browser will honor the MIME type returned by the 3rd party server so it could return an executable file instead of an image, even though you may only allow links to files with image extensions (.png, .gif, .jpg, etc.). That interaction is entirely between your user and the 3rd party server but because it's embedded in your page the user experience will be that any infection originated from your site.
But even assuming the remote server only sends an image, you don't know if the image is even safe. See:
gifar image vulnerability
Infected .png files
Malicious code hides in jpgs
Uploading the images to your site is no walk in the park either, as discussed here.
User uses information to do some potentially nasty stuff!
You're being overly paranoid here. If a user is vulnerable just by having their IP known, their machine is already infested with a hundred different pieces of malware.
I want the videos that I play on my site should only be streamed but should not be accessible to download softwares. Can videos be protected from downloading so that no one should be able to record them
Thanks
Can videos be protected from downloading so that no one should be able to record them?
The short answer is: No.
Longer answer: It is impossible to protect anything from downloading unless you don't want anyone to watch it. Remember: if they can see it, they can record it.
Sure, just don't serve them up. By definition, for someone to view an online video, they have to download it. There's absolutely no way around it, short of forcing them to use a remote desktop type viewer. Once the bytes leave your server, you have absolutely zero control over what happens to them.
The answer to your question is no.
Why? No matter what sort of protection you put on the actual file, it needs to be transferred to the client computer somehow. And if you put some kind of DRM on the file so that only the person who's authorized to download the file can view it, it still needs to be viewed. This means that an enterprising person can intercept the actual values being displayed somehow and store them elsewhere. It could be as labour-intensive as getting a screenshot of every frame, then stitching that together to form a movie.
If you don't want people to download your videos, don't put them on public servers.