Prevent direct access to php file

[feha]

Please check the cURL functions and you can see what these can do ....
You can "forge" referrer , you can set any USER_AGENT you want.
You can parse the whole page and get caller to generate token for you and play the file remotely or even download.
As cURL can be set to accept sessions and cookies.
You will never know if it was user or not.
However there would be problem for cURL if caller.php is hidden in flash movie.
But crackers could decrypt the source code of flash movie and find the link, alter a bit parsed HTML site and call "caller.php" simply with an image this would trigger a session cookie.

Even YouTube can not protect their videos ...

regards
feha

[kgun]

Late answer. cURL is an excellent language.

1. Scroll down to the heading cURL: http://www.kjellbleivik.com/Books/
2. Related WPW thread: http://www.webproworld.com/search-en...tml#post488186
3. See the first post for book references.

[feha]

@kgun
Hi
It is never "too late" :-)

[Dave Morton]

This discussion brings to mind something my Father used to tell me...

"Locks are only meant to keep honest folks out."

That said, my thoughts are this:

1.) Don't pass the name of the song to get.php. Pass a unique reference to it, instead. This will make it a bit harder for the evil ones to understand what the link represents. You could even go so far as adding a spurious key/value pair to the URI that's completely irrelevant and not used, such as:
path/to/get.php?song=no_cheating.mp3&ui={the song's unique identifier}&h={your hash}&t={your timestamp}

2.) The notion of using a shared key/hash/timestamp is a good one. I think that these two methods are sufficient to prevent 99.5% of all improper usage.