保护Flash播放器中的mp3文件路径

发布于 2025-01-03 15:44:47 字数 158 浏览 3 评论 0原文

我的网站中有 flash 播放器用于播放 mp3 文件。但是如果有人使用“viewsource”或任何浏览器工具（例如 firebug），那么他们可以找到参数，然后整理出实际的 mp3 文件 url。我在中使用 php我的后端。应该有办法隐藏这些参数，但不知道如何隐藏？

有什么想法吗？

原文

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

七颜 2025-01-10 15:44:47

前言：如果你在网络上展示它，你就可以窃取它。时期。

也就是说，您可以通过将文件的 URL 传递给执行以下两件事的 php 脚本来屏蔽文件的 URL，从而使其变得更加困难：

1) 转换加密的 GET 参数，该参数可以被验证并且只能使用一次（存储变量）在数据库或日志中）。该代码将在播放器加载时创建，一旦开始缓冲，该文件就无法再次使用。这样参数就不能只是一个随机字符串（它必须是可解密的），并且用户不能只使用相同的 URL。

用户收到的 html 页面中的 php 看起来像这样：

$key = 'My EnCyption Key';
$unique_string = "Generated at ".time().$_SERVER['REMOTE_ADDR']; //the time element changes the string each time and the IP address controls for multiple users simultaneously loading the same page
$tolken = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, md5($key), $string, MCRYPT_MODE_CBC, md5(md5($key))));

然后 Flash 播放器将被设置为使用 mp3 文件：

http://yoursite.com/mp3/file_fetcher.php?file_id=123&tolken=<?php echo $tolken;?>

文件 file_fetcher.php 将具有类似这样的内容（显然是这样的）需要一些充实）：

$fixed_string_part = "Generated at ";
$decrypted = rtrim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256, md5($key), base64_decode($_GET['tolken']), MCRYPT_MODE_CBC, md5(md5($key))), "\0");
if (substr($decrypted,0,strlen($fixed_string_part))!=$fixed_string_part){
   die("Your tolken is invalid");
}
//check that the tolken hasn't been used before:
$check_query = mysql_query("select * from `mp3_tolken_log` where `tolken`='$decrypted';",[connection identifier]); //write this more cleanly
if (mysql_num_rows($query)){
    die("You've already used that tolken!");
} else {
   $log_it = mysql_query("insert into `mp3_tolken_log` (`tolken`,`dateadded`) VALUES ($decrypted,NOW())"); //make sure it's in there so it can't be used again
}

//now get the file if we haven't already died
$contents = file_get_contents([path/to/mp3/file/specified/by/id/$_GET['file_id']]);
header('Content-Type: audio/mpeg');
echo $contents;

2）检查引用站点是否是您自己的站点（而不是他们尝试直接访问脚本）。例如：

if (!isset($_SERVER['HTTP_REFERER'])){die("Restricted Access!");};
$_u=parse_url($_SERVER['HTTP_REFERER']);
$_u=preg_replace("/(www.)/i","",strtolower($_u['host']));
$_i=$_SERVER['HTTP_HOST'];
$_i=preg_replace("/(www.)/i","",strtolower($_i));
($_u == $_i) or die("Restricted Access!");

当然，这些信息可以伪造，但在它和单次访问通行证之间，您不必担心直接下载。也就是说，请记住，有一百万种方法可以从流中获取文件，并且没有办法阻止它。

Preface: If you show it on the web you can steal it. Period.

That said, you can make it a lot harder by masking the URL of the file by passing it through a php script that does two things:

1) Translates an encrypted GET parameter which can be validated AND can be used only once (store the variable in a database or log). This code will be created when the player is loaded, and once it's started buffering the file cannot be used again. This way the parameter cannot just be a random string (it has to be decryptable) and the user cannot just use the same URL.

The php in the html page the user would receive would look something like:

$key = 'My EnCyption Key';
$unique_string = "Generated at ".time().$_SERVER['REMOTE_ADDR']; //the time element changes the string each time and the IP address controls for multiple users simultaneously loading the same page
$tolken = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, md5($key), $string, MCRYPT_MODE_CBC, md5(md5($key))));

and then then the flash player would be set to use the mp3 file:

http://yoursite.com/mp3/file_fetcher.php?file_id=123&tolken=<?php echo $tolken;?>

The file file_fetcher.php would have something like this (obviously this requires some fleshing out):

$fixed_string_part = "Generated at ";
$decrypted = rtrim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256, md5($key), base64_decode($_GET['tolken']), MCRYPT_MODE_CBC, md5(md5($key))), "\0");
if (substr($decrypted,0,strlen($fixed_string_part))!=$fixed_string_part){
   die("Your tolken is invalid");
}
//check that the tolken hasn't been used before:
$check_query = mysql_query("select * from `mp3_tolken_log` where `tolken`='$decrypted';",[connection identifier]); //write this more cleanly
if (mysql_num_rows($query)){
    die("You've already used that tolken!");
} else {
   $log_it = mysql_query("insert into `mp3_tolken_log` (`tolken`,`dateadded`) VALUES ($decrypted,NOW())"); //make sure it's in there so it can't be used again
}

//now get the file if we haven't already died
$contents = file_get_contents([path/to/mp3/file/specified/by/id/$_GET['file_id']]);
header('Content-Type: audio/mpeg');
echo $contents;

2) Check that the referring site is your own site (rather than them trying to access the script directly). Something like:

if (!isset($_SERVER['HTTP_REFERER'])){die("Restricted Access!");};
$_u=parse_url($_SERVER['HTTP_REFERER']);
$_u=preg_replace("/(www.)/i","",strtolower($_u['host']));
$_i=$_SERVER['HTTP_HOST'];
$_i=preg_replace("/(www.)/i","",strtolower($_i));
($_u == $_i) or die("Restricted Access!");

Of course this information can be faked, but between it and the single-access pass you shouldn't have to worry about direct downloads. That said, remember that there are a million ways to get the file from the stream, and there's just no way to stop that.

回复收藏 0 原文

~没有更多了~