4images Forum & Community
4images Issues / Ausgaben => Discussion & Troubleshooting => Topic started by: Ushkand on May 19, 2003, 07:44:54 PM
-
Ok, finally bought the commercial license as I went commercial last week. :) Here is my predicament: I am serving video files via the script and disabled server play so that members can only download the files. As these files will be available for paid members only, I'd like to protect them by placing them below the webroot.
I am using the downlaod URL field to tell Download.php where the file is. Everything seems to be working ok, till I try to play the video downloaded this way. For some reason the file seems to be corrupted, even though the size and everything else is the same. I am guessing the file header is getting screwed. How do I fix this so that the videos downloaded from below the webroot play fine? I am serving mostly .AVI files.
-
4images does not read each file and return the file contents to the browser. It is designed to provide valid HTTP links to media source files and then hands these off to your web server to deliver to the visitor. Placing files outside the web root will not work.
-
can download.php be modified to read the file headers? I desperately need this to work. Thanks for your help.
-
I suppose it could although I don't know how.
-
your host wont be very happy, because the way u want it be done the script must read the files into memory, then through it to the client browser...that would take alot of servers perfomance.
-
I am on a dedicated server so that shouldn't be a problem. Since all the files are going to be .AVI, could I not set download.php to tell browser by default that it is a video files without having to reading each and every file everytime someone downloads a file?
-
Since you want to place the files outside of your web root, download.php must tell the browser the mime header type AND read and deliver the avi files to the browser. That's going to be a big load on your php processes.
-
That's going to be a big load on your php processes.
exactly!
but here is an example how to read and print a picture stored outside of web root:
<?php
$file = "e:/iguana.jpg";
$file_size = filesize($file);
$fp = fopen($file, "rb");
$data = fread ($fp, $file_size);
fclose($fp);
header('Content-Type: image/jpeg');
echo $data;
?>
-
One final comment. Web servers are highly optimized to serve files off hard disks and this is why their performance will exceed what php can deliver.
Best wishes.
-
That's going to be a big load on your php processes.
Can you guys suggest of a better way to protect the videos? Though the scripts masks the download url, netscape users can easily get the direct url link. I figured placing videos outside webroot would be the most secure way.
Btw v@no, where do I place this code in download.php? and
$file = "e:/iguana.jpg"; Could I replace this with the Download URL parameter?
-
Btw v@no, where do I place this code in download.php?
sorry, that was just an example how it would work...this method would be maybe usefull for small files, images (I use it at my site), but for video I dont know..
-
... so that members can only download the files. As these files will be available for paid members only, I'd like to protect them by placing them below the webroot.
Why not just change the "View Image" setting to private or registered user? Your best approach is to restrict access to the download button. Moving files outside the web root only prevents hotlinking by other sites. If you password protect the media directories, require HTTP authentication or change the 4images settings as I've suggested, you'll accomplish the same thing.
-
Why not just change the "View Image" setting to private or registered user? Your best approach is to restrict access to the download button.
well, that's not the point, any registered members could click download button and find out the path for the file and they wont need use download.php anymore, they can use over and over again, or send to someone. if u use script that would read files (outside root not necesery) and then send it to the browser, u wont be able get the files without starting the script, but this is big perfomance drawback...
If you password protect the media directories, require HTTP authentication
I might did something wrong, but I've tryed do it this way, and it asked me for user/pass when I open details.php
they .htaccess for antileech will kill ability play video/audio files on the page...
-
Well perhaps this will illustrate my suggestion better.
1. Create a new user group called "PaidMembers"
2. Set the "Download" permission for each category to "Private"
3. Now edit the "Permissions" for the user group "PaidMembers" and set the download for each category to "Yes"
When a registered user remits payment, place that user in the "PaidMembers" user group.
This should work, shouldn't it?
-
Well perhaps this will illustrate my suggestion better.
1. Create a new user group called "PaidMembers"
2. Set the "Download" permission for each category to "Private"
3. Now edit the "Permissions" for the user group "PaidMembers" and set the download for each category to "Yes"
When a registered user remits payment, place that user in the "PaidMembers" user group.
This should work, shouldn't it?
Chris this is exactly what I am doing right now. Like v@no says, any paid member can easily get the download link (direct url to the videos) and share it with others. These other visitors can just type in the direct url of the video and download them.
they .htaccess for antileech will kill ability play video/audio files on the page...
I am not using any server play. Is there any way I can set the .htaccess to let videos be download only through download.php and not with a direct url link?
-
Chris this is exactly what I am doing right now. Like v@no says, any paid member can easily get the download link (direct url to the videos) and share it with others. These other visitors can just type in the direct url of the video and download them.
Perhaps I'm missing some information and you can explain to me why you believe the other people will actually get the file.
Here are two 4images behaviours to be aware of:
1. The download link is in a form of: http://www.domain.com/4images/download.php?image_id=1416
Thus the actual server path is not revealed
2. If the link is shared with others, it will redirect them to the home.html page because they aren't logged in. Thus they have no permission to download. This is because you set the download permission to "Private" per my previous instructions.
I tested this myself on a clean install of 4images. Have you also tried it?
-
actualy, when u click on download button it will execute download.php, but then the DIRECT LINK to the file will be send back to the browser... that's the problem....
so, to prove it, here is the test:
first as I showed before, will show picture from outside of web root:
http://come.no-ip.com/iguana.php
second will do exactly the same what download.php does (well, almost the same, I skipped header that makes download the image instead of showing it):
http://come.no-ip.com/iguana.php?skip=yes
as u can see in your browser, after image was loaded it shows the direct path to it, no more .php file...
if u use some download managers, then u can easily find out the direct path to the file... :(
-
second will do exactly the same what download.php does (well, almost the same, I skipped header that makes download the image instead of showing it):
http://come.no-ip.com/iguana.php?skip=yes
as u can see in your browser, after image was loaded it shows the direct path to it, no more .php file...
if u use some download managers, then u can easily find out the direct path to the file... :(
Well of course if you remove that header you're gonna see the path. That header controls what mime type is returned to the browser. In the case of download.php it's an "application/<browser specific>" mime type such as "application/octet-stream". When you remove it, the mime type changes to that of the file "image/jpeg" in this case.
I've tried the download.php link in an FTP client and the server path was not revealed. I don't have any download manager installed. I also tried using 3 browsers. Not once was I able to see the path.
Can anyone show me a real example of where the path is revealed? Show me a screen shot of a browser, download manager or some other software where it's revealed. Without an actual live example, I'm simply not convinced the path will be known to the end user.
Besides, even if the path IS revealed what's wrong with using .htaccess in the 4images/data/media directory?
# Disable image hot-linking
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(www\.)?domain.*/.*$ [NC]
RewriteRule [^/]+.(gif|avi|mpg|jpg|png)$ http://www.domain.com/No_Access.gif [R,L]
Now the other person can't enter the link to get the file.
Please show me how it's revealed so I have something to examine to think up some ideas.
-
Well of course if you remove that header you're gonna see the path. That header controls what mime type is returned to the browser. In the case of download.php it's an "application/<browser specific>" mime type such as "application/octet-stream". When you remove it, the mime type changes to that of the file "image/jpeg" in this case.
Yes, I know that, what I was trying to show u, is what actualy download.php sends back to the browser - FULL PATH for the file.
Only that fact is making this method unsecure, especialy if u have paid service...
Besides, even if the path IS revealed what's wrong with using .htaccess in the 4images/data/media directory?
# Disable image hot-linking
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(www\.)?domain.*/.*$ [NC]
RewriteRule [^/]+.(gif|avi|mpg|jpg|png)$ http://www.domain.com/No_Access.gif [R,L]
Now the other person can't enter the link to get the file.
that's right, but this method will work only for images, or for downlod button, because if u try play video/audio even show flash movies (anything that required browser plugins) directly from the page it wont work...
heres is a little discussion about that:
http://4homepages.de/forum/viewtopic.php?t=5292
-
ops...I just took close look inside download.php
I'm taking my words back...it doesnt send full path to the browser, it reads file, then send the data to the browser...
-
Based on your suggestion a while ago, I had changed the download.php like this:
I just found witch code does this - in download.php :Code:
$remote_url = 0;
if (!empty($image_row['image_download_url'])) {
if (is_remote_file($image_row['image_download_url']) || is_local_file($image_row['image_download_url'])) {
ereg("(.+)\.(.+)", basename($image_row['image_download_url']), $regs);
$file_name = $regs[1];
$file_extension = $regs[2];
$file['file_name'] = $file_name.(($size) ? "_".$size : "").".".$file_extension;
$file['file_path'] = dirname($image_row['image_download_url'])."/".$file['file_name'];
}
else {
$file['file_path'] = $image_row['image_download_url'];
$remote_url = 1;
}
}
if this code change to this:Code:
$remote_url = 0;
if (!empty($image_row['image_download_url'])) {
$file['file_path'] = $image_row['image_download_url'];
$remote_url = 1;
}
then 4images script wont download file, it will just through the link to the user, but....it might not work properly, because the link will work as "open" not "save as".
I was having problems downloading files larger than 25MB using the original download.php. Making this changes now lets me server videos as big as I want. The link to the post describing the problem
http://4homepages.de/forum/viewtopic.php?p=15620&highlight=#15620
# Disable image hot-linking
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(www\.)?domain.*/.*$ [NC]
RewriteRule [^/]+.(gif|avi|mpg|jpg|png)$ http://www.domain.com/No_Access.gif [R,L]
So if use this, the only thing that its going to affect is the server play right? I don't want the videos to be played on the page but just be available for download. As long as someone can't access the files directly from a download URL, I should be ok.
-
# Disable image hot-linking
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(www\.)?domain.*/.*$ [NC]
RewriteRule [^/]+.(gif|avi|mpg|jpg|png)$ http://www.domain.com/No_Access.gif [R,L]
So if use this, the only thing that its going to affect is the server play right? I don't want the videos to be played on the page but just be available for download. As long as someone can't access the files directly from a download URL, I should be ok.
No. That code is meant to stop other web sites from linking to your media files. That's called hot linking. In other words, displaying your pictures on their web pages and using your server's bandwidth for their site.
-
Same Premiere encoding of a standard Mpeg1 with all my files.
One file that is under a Mb plays fine:
http://www.baconzoo.com/HV/details.php?image_id=1
Other files greater in size (2-3 Mb) won't play:
http://www.baconzoo.com/HV/details.php?image_id=18
Direct linking doesn't work for playback, but a download works.
Any clue?
Will the download.php mod work? or do I need to stay under a size range?
PS This site is under construction...