Hide MP3 full url

Question

I have a music player that links to a song using the following syntax:

Answer 1

If you are using amazon s3 service you can use signed url for your files. It will be more safe as you have to be signed user and also url can be expired. Read this.

Answer 2

Ok, so I did a combination of things that I am satisfied with...although not completely secure, it definitely helped me obscure it quite a bit.

First of all, I am using the AudioJS player to play music - which can be found: http://kolber.github.com/audiojs/

Basically what I did was:

1. Instead of using "data-src" as the path to my songs I called it "key", that way people wouldn't necessarily think it was a path.
2. Instead of using "my-song-title" as the name of the songs, I changed it to a number like 7364920, that way people couldn't look for that in the source and find the url that way.
3. I added + "mp3" to the javascript code after all of the "key" variables, that way I would not have to declare it in obfusticated link.
4. I used a relative path like "./8273019283/" instead of "your-domain.com/8273019283/", that way it would be harder to tell that I was displaying a url.
5. Added an iTunes link to the href, that way people might get confused as to how I was pulling the file.

So, now my inline javascript looks like:

<script type="text/javascript">
        $(function() {
            // Play entire album
            var a = audiojs.createAll({
                trackEnded: function() {
                    var next = $("ul li.playing").next();
                    if (!next.length) next = $("ul li").first();
                    next.addClass("playing").siblings().removeClass("playing");
                    audio.load($("a", next).attr("key") + "mp3");
                    audio.play();
                }
            });
            // Load the first song
            var audio = a[0];
            first = $("ul a").attr("key") + "mp3";
            $("ul li").first().addClass("playing");
            audio.load(first);
            // Load when clicked
            $("ul li").click(function(e) {
                e.preventDefault();
                $(this).addClass("playing").siblings().removeClass("playing");
                audio.load($('a', this).attr('key') + "mp3");
                audio.play();
            });
        });
    </script>

My link looks like:

<a href="<?php $link = 'http://itunes.apple.com/us/album/falling/id504779876?i=504779883&uo=4'; $obfuscatedLink = ""; for ($i=0; $i<strlen($link); $i++){ $obfuscatedLink .= "&#" . ord($link[$i]) . ";"; } echo $obfuscatedLink; ?>" target="itunes_store" key="<?php $link = './8249795872/9273847591.'; $obfuscatedLink = ""; for ($i=0; $i<strlen($link); $i++){ $obfuscatedLink .= "&#" . ord($link[$i]) . ";"; } echo $obfuscatedLink; ?>">Falling</a>

When you load it up in the browser and you view the source you'll see:

<a href="&#104;&#116;&#116;&#112;&#58;&#47;&#47;&#105;&#116;&#117;&#110;&#101;&#115;&#46;&#97;&#112;&#112;&#108;&#101;&#46;&#99;&#111;&#109;&#47;&#117;&#115;&#47;&#97;&#108;&#98;&#117;&#109;&#47;&#102;&#97;&#108;&#108;&#105;&#110;&#103;&#47;&#105;&#100;&#53;&#48;&#52;&#55;&#55;&#57;&#56;&#55;&#54;&#63;&#105;&#61;&#53;&#48;&#52;&#55;&#55;&#57;&#56;&#56;&#51;&#38;&#117;&#111;&#61;&#52;" target="itunes_store" key="&#46;&#47;&#56;&#50;&#52;&#57;&#55;&#57;&#53;&#56;&#55;&#50;&#47;&#57;&#50;&#55;&#51;&#56;&#52;&#55;&#53;&#57;&#49;&#46;">Falling</a>

Then when you use Web Inspector or Firebug you'll see:

<a href="http://itunes.apple.com/us/album/falling/id504779876?i=504779883&amp;uo=4" target="itunes_store" key="./8249795872/9273847591.">Falling</a> - *which doesn't completely give the url away

Basically what I did was make the link look like it's an api-key of some-kind. The cool thing is that you can't just copy the link straight from view source or straight from Web Inspector/Firebug. It's not fool-proof, and can definitely be broken, but the user would have to know what they're doing. It keeps most people away, yet still allows the player to get the url it needs to play the song :)

*also, I got the php obfusticate script from somewhere on Stack Exchange, just not sure where.

Answer 3

No. This is not possible since it is the browser that interprets the HTML to make the page work properly. So if the client (browser) does not know where the mp3 is coming from then it will not be there to use.

On the other hand if you want to have the music switch songs by clicking a link then i suggest you look into some tools like http://jplayer.org/

EDIT: The only way to probably prevent direct access to the file itself would be to read the file in instead of linking to it from the script. For instance on my image hosting site http://www.tinyuploads.com/images/CVN5Qm.jpg and if you were to look at the actual file path on my server, the file CVN5Qm.jpg is out of view from the public_html folder. There is no way to directly access the file. I use databases to take the image id, look up where it is stored, and then readfile() it into the script and display the proper headers to output the image.

Hope this helps

Answer 4

Instead of doing a header redirect, add proper headers and include the audio file in your PHP code. Then, in your .htaccess file, you can disallow access to the directory where your audio files live.

Answer 5

I use http_referer and I can controll the procedence of the link

<?php
// key.php
// call with: http://yoururl.com/path/key.php?id=1
$page_refer=$_SERVER['HTTP_REFERER'];


if ($page_refer=="http://www.yourdomine.com/path/page.html")
    {
    $id = (isset($_GET["id"])) ? strval($_GET["id"]) : "1";
    // lookup
    $url[1] = 'link1.mp3';
    $url[2] = 'link2.mp3';
    header("Location: $url[$id]");
    exit;
    }
else
    {
    exit;
    }
?>