I'm building a streaming video site. The idea is that the customers should pay for a membership, login to the system, and be able to view the videos. I'm going with FlowPlayer for showing the actual videos.
The problem now is, the videos need to be stored somewhere publically and the url to the .flv files needs to be passed to flowplayer for it to be able to show them. This creates a problem because anyone can do a view source, download the video, and distribute it all across the internet.
I know some people serve images using php by doing an image header() and then they can do something like:
<img src="image.php?userId=1828&img=test.gif" />
The php script validates the user ID and serves up the .gif and the actual url of the gif is never revealed.
Is there anyway to do this with .flv or any other video format also? E.g, the file and user ID passed onto the PHP script, it validates them, and returns the video?
You can set up a directory containing the FLV files on your webserver that can only be accessed by PHP, then in your PHP script you can authenticate the user as usual and simply send a header to the browser telling it to expect an FLV, then echo the raw FLV data:
<?php
// here is where
// you want your
// user authentication
if ($isAuthenticated)
{
header("Content-type: video/flv");
echo file_get_contents($pathToFLV);
}
?>
As Chad Birch discussed, this will only prevent people from linking directly to the video - you can't prevent piracy this way.
The short answer is that no, you're never going to be able to prevent people from downloading your videos if they want to. There are various ways to make it trickier for them to do it, but there's no foolproof method. You're hitting what is basically the entire problem with DRM - you can't show someone your content without giving it to them unencrypted at some point, and if they can view it, they can rip it.
Since your flv player is a flash application, it will always be possible to download and decompile it. When decompiled the actual url to the flv will be visible. So it won't really make any difference if you are using direct url's to the flv movies or something like you described in your question
<img src="image.php?userId=1828&img=test.gif" />
Please google the word Pseudostreaming you will get the answer
There are some servers like lighttpd which has inherent support for flv streaming....
I hope you will get the answer.........
Apache with mod_flvx module also has similar effect like lighttpd.
Related
I am building a site similar to thefuture.fm. DJs are able to upload MP3 files and set if the file only can be streamed or streamed and downloaded.
Visitors to the site don't have to login to listen to music. They should be able to stream/download these MP3 songs depending on the users settings.
I am using the jPlayer to play songs. I have searched all over the web but can't find any solution. Does jPlayer have any facility like prevent downloading of MP3 files? Or is there any way I can prevent this?
It's actually impossible to prevent downloading. You can make it harder for somebody, but he still needs to download all the data to hear the song. So even if you use some encryption to send the data to a flash player you write yourself, the player will have to decrypt it and play the audio. And since you can decompile flash it wouldn't be to hard to find out the algorithm. He could also just record the music again when playing it (similar to the first DVD decrypt tools, who just took a screenshot 30 times/sec to pass million dollar security measurements)
So the goal is to make it harder, not impossible.
Personally I would go for temporary available links in combination with a cookie, so I can still use jplayer and don't have to reinvent the wheel. Also use some obfuscating to make it harder to read the URL.
When somebody request the main URL (where you show your player) generate a unique key and save it in a cookie. The unique key should link to the IP address and request time stored in session.
Now create a link to the music file like playfile.php?file=music.mp3 or whatever. Just make sure that PHP will handle the file request. If you obfuscate this link it will be a little harder to find it.
In playfile.php check for the unique code in the cookie and check if it matches the IP address in session and the request time is less then EG 15 seconds (any longer and music won't play anyway with slow internet connection). If it is, stream the file. If it's not, block it.
Now if somebody would write a program/script to download the music, he can. But if somebody has the knowledge and time to do that, nothing will stop him from downloading it.
This will prevent any normal user from downloading it.
Preventing hotlinking is a bit easier, since in general you'll have a referrer string to check. If this is present then you'll know not to serve the content. Here is a code example.
Preventing downloading on the other hand is much harder - the best approach would be for a Flash application to decrypt data in realtime - if you use a simple encryption scheme, most client hardware should be fast enough. I couldn't find much for this on the web, so I wonder whether you'd have to do some Flash/Flex development yourself: download MP3 data in chunks, apply decryption routines from a library, and send them to some sort of MP3 decoding buffer. I suspect the password would be hard-coded.
Addendum: I've found that in later versions of Flash you can play dynamically generated sounds from a buffer (see here). So, if you're willing to get stuck into some Flash/Flex development, a solution is in sight. I couldn't find anything that accesses low-level MP3 routines, but don't forget that files don't have to be MP3 as transmitted from your server - convert them to whatever your app needs.
What you are searching for can't be achieved with JavaScript solution. If you want javascript to play something, it has to download it and in order to download it, JavaScript needs a URL.
Most common way to tackle this problem is using Adobe Flash and making a player in it. You can make your player stream content (mp3 in your case) without explicitly exposing actual data location to user.
Put the file(s) in a location that isn't accessible from the browser and use PHP to stream them out as a series of chunks using HTTP/1.1 206 Partial Content. Then use a method like this to edit the context menu to add/remove the 'save as'.
Use a session var to eliminate direct linking.
Actually, there is a player that DOES scramble the url and it works pretty good. We used it because of this excellent feature. It is not impossible to download/save the audio, but at least it is not a matter of just opening the inspector and copying the url. It also prevents from sharing to outside sources by URL. So, contrary to the above, it IS possible and it IS available :)
Check the plugin out here:
https://wordpress.org/plugins/mp3-jplayer/
Currently working on an offshoot of the idea more adequately addressed here.
Creating a Secure File Hosting Server for PDFs
I'm developing a secure PDF hosting website where certain users can download certain PDF's that I have stored outside of the webroot to prevent people from accessing documents they shouldn't access.
I've got the download working using the first solution, but I want to implement a 'view/preview' feature too. I still don't get content headers as well as I should but I believe what is causing the bulk of my issues is I can't put a 'src' attribute on the embed/object/iframe/whatever. And that's kind of the point of the system.
My question is, is there any way to feed a file (as opposed to a url) to an embed/object? I would like to keep my current system and I'm going for simplicity at the moment so the easier the better.
I saw Recommended way to embed PDF in HTML? and will probably check out pdf.js if I'm trying something that isn't doable.
I have not yet had the chance to play with pdf.js, but it either that or a flash player of some sort.
Or you rely on the browser to display it has a webpage and you can iframe it, but that's so lame... it would work only for a fraction of you users.
PDF2SWF - convert PDF to SWF ( 1 page = 1 SWF).
Use other SWF (reader) to load SWF pages via XML or something else.
Use $_SESSION to store ID of PDF document which should be served through e.g. /preview (same link for previewing all documents)
Don't serve original PDF, put a watermark, or make them low-res.
Otherwise, your PDF will never be "secure".
http://www.swftools.org/
I want the videos that I play on my site should only be streamed but should not be accessible to download softwares. Can videos be protected from downloading so that no one should be able to record them
Thanks
Can videos be protected from downloading so that no one should be able to record them?
The short answer is: No.
Longer answer: It is impossible to protect anything from downloading unless you don't want anyone to watch it. Remember: if they can see it, they can record it.
Sure, just don't serve them up. By definition, for someone to view an online video, they have to download it. There's absolutely no way around it, short of forcing them to use a remote desktop type viewer. Once the bytes leave your server, you have absolutely zero control over what happens to them.
The answer to your question is no.
Why? No matter what sort of protection you put on the actual file, it needs to be transferred to the client computer somehow. And if you put some kind of DRM on the file so that only the person who's authorized to download the file can view it, it still needs to be viewed. This means that an enterprising person can intercept the actual values being displayed somehow and store them elsewhere. It could be as labour-intensive as getting a screenshot of every frame, then stitching that together to form a movie.
If you don't want people to download your videos, don't put them on public servers.
Is there anyway to hide .swf path showing up from webpage?
you can use a php script something like getswf.php?name=flash.swf in your flash tags. Then create getswf.php script to respond with output of flash.swf file, and keep flash.swf file in a directory outside of public directory.
There may be ways to make it difficult to view. However, nothing you do can stop an intelligent adversary from using a tool like Fiddler to monitor web traffic and undo all your obfuscation.
I think this is a fairly pointless exercise. Any resource that gets sent to a browser, be it an image, sound, flash movie, even flv files loaded by the YouTube player, can all be saved to disk fairly easily.
As Justin mentions, Fiddler can achieve this easily.
As others answered it there are ways to do it using your script. If you are looking for a paid option check this out Media Vault.
Hiding the URL to the swf file might be quite a challenge but there are other things you can do if you're wanting to more closely protect the video/data being displayed by the swf.
I'll run through a couple of ideas in the order I think them most obfuscated with the least first. Bare in mind that most of these techniques merely make it harder to get to the information/video rather than making it impossible to obtain.
The main idea most sites tend to follow is that of having the swf as a player and the content in another file somewhere else, usually an flv or mp4 etc.
Add flv location through Javascript
This technique is as basic as it sounds. You have your swf player on the page and pass a new variable too it (such as 'file') with the location to the flv file using Javascript. If you're already loading your content with some kind of JS flash module then all the easier to begin implimenting.
Obfuscating flv location through XML
Another techniqe I've seen used quite recently is that of having an XML document as a paremeter to the swf player and then the flash player itself resolves the URL of the flv from a node in the XML. It's easy to get to the flv URL if you want to but it does make it that little bit harder.
Token access
This technique can be used in conjunction with any of the above two. You basically ensure that your flv files can only be accessed with the use of a special token otherwise the page returns a HTTP error. The token would be understood by the flash player and the server and upon the player making a request for the flv, a token must be included (usuallu the token itself is obfuscated in some way that it cannot be easily mimmicked through a simple GET request).
Domain access
Very similar to the above however in this case, the flv file will only be loaded when the requesting URL is a specific site. All other requests will be denied (such as directly hitting the flv location in your browser.
As stated above, none of these methods make it impossible to get hold of your flash material. If it's on the web (or any network for that matter), it's possibly a target. You'll usually find for most things that making it harder to obtain will deter a lot of those who would otherwise have been privy to downloading your content.
Completely hiding the URL to the swf
If your only criteria is to hide the URL then hiding it behind a URL rewrite is the best option I can think of.
Your swf might be at /location/flash/player.swf?file=summer.flv and then you could do a URL rewrite to something like /vacations/summer2011/.
This way the URL to the swf is completely hidden away and this should satisfy your desire to hide the swf path.
The answer is NO.
You may not want to believe it. but it is a fact. you can do all you like to obfuscate it. but the browser needs to find it. if the browser can find it so can anyone else.
A server side script that acts as a loader will hide the real path to the file, but to what purpose. the end result is the file is still available.
If you want a simple answer, so simple people can't find it then the people here have given you some suggestions. obfuscation is the best you can hope to achieve.
Alternately only allow approved users access to the file. that way they need to log in to get access to it. but if you want it available publicly then its well, public!
DC
So would like to do: get an flv file from a protected directory and feed it to a swf embedded player as a parameter using PHP.
Is this possible?
Sending the contents of the file to the embedded player does not seem to work.
Well, since the player requires that the client fetches both the player and the FLV from the server, I suspect that this would require a temporary location from which the FLV is made accessible to the user via a URL. The most obvious solution is to create an expiring URL that times out in a reasonable amount of time, preventing users from linking directly to the FLV. I'm not sure if there's a way to keep it protected beyond this without embedding the address to the file in the flash itself dynamically - basically, you can't use a general purpose player that takes a URL for the FLV as a parameter if additional protection is required.
Edit: Here is a potential solution using the JW player: Code URL in V4 for protection against leechers
And here is another possible solution along the lines of my original comment: Flashcomguru.com: 'Streaming' flv video via PHP, take two
The Flashcomguru link look promising, not sure I understand this stuff however.
I'm not a Flash guy but I know someone that may be able to help.
I'm also not sure how to create a 'create an expiring URL"
Not sure what you mean with "feed it to a swf embedded player as a parameter using PHP", but looks like what you want to do is this:
Store your flv file somewhere outside the DocumentRoot in your server.
Create a PHP script that based on some parameter, reads the flv file and serves it. I'm assuming that you are planning to have some authentication in this php script to prevent anyone from just calling your PHP script and getting the flv as if it was in the DocumentRoot
Create an swf clip that will call the PHP script to retrieve the flv to the client.
If that is what you want, the part of the script in 2 that reads and serves the flv should be pretty straight forward using the standard file accessing functions from the PHP API and setting the appropriate content-type header before echoing it out.