|
PHP - Security Practices
I had general question about security in php.
Suppose i have a value submitted from a form called $form that would go to the database. What functions would good to clean it before it goes to the database. Suppose I want to display the $form variable in the browser, what would i use to display to prevent javascript or html injection other than strip_tags. On another note, what security practice should i follow when dealing with sessions? Similar TutorialsThis topic has been moved to Miscellaneous. http://www.phpfreaks.com/forums/index.php?topic=351660.0 Hi, I am developing a large management/CRM system for my company. I would like to hear your thoughts on what is the best way to organise functions and files. I know of a few ways: 1. having all your PHP at the start of each page which fetches all the data from the DB and then echo it out into the right places in that page, e.g. fetching a list of options then later echoing out the option data into a 'select' tag, creating a dynamic list. 2. Have the majority of the PHP completely seperate from the page in a seperate page, and you INCLUDE that at the start of your html page. 3. Have many seperate PHP files that do different bits for that page, e.g. one php file is for fetching a list of sales contacts, another for fetching enquiries numbers etc and have it all injecting into the correct containers on your page using Jquery and AJAX, which lets you have dynamic updates if you stick them in a setInterval loop. 4. This is the one I most fancy. You have one PHP file that has several 'modes'. Now when you call it in an AJAX statement, you pass a mode variable to it which is the condition for one of the IFs in your PHP files. So if I wanted to fetch an up to date contact list every x seconds, I would also pass a variable like 'FETCH_CONTACTS' i.e.: $.post('record-control.php', {targetCustomer:thidId, mode:'FETCH_CONTACTS'}, function(data){$('#targetDiv').html(data)}) ; Which way would you prefer if it was you? I'm developing a REST API for a website. As far as I know, the rules for RESTfulness are sort of broad. I'm just wondering if there are any good resources with tighter guidelines to developing a good, useable API. What are the common practices etc. Some of the things I'm unclear on a Should it use GET and POST, or just one of them? From what I've read about HTTP, GET is a "safe method" and shouldn't allow data to be changed on the server. Should we use GET to retrieve data off the server, and POST to save data to the server? Or is it common practice to use POST for getting and storing data? Should we utilize the HTTP status codes? Should the HTTP status change when things go wrong? Should it be 400 if something doesn't work properly? Or 404 if the method doesn't exist? If the request is successful, and there's no data to return, should it be 204 No Data or 200 with JSON/XML that shows it was successful? Hi guys, I am using Domdocument for parsing xml, i am concerned about the impact of the performance on using this Domdocument. what are the best practices to reduce the impact performance using Domdocument ? Please share your ideas. Thanks I want to add a search feature to my site so that users can search for videos. Let's say that a user conducts a search and I GET their search query: $squery = isset($_GET['query']) ? $_GET['query'] : '';Now what should I do? What are the best practices to ensure the security of my database and to provide the most relevant results to the user? Here's what I've got so far.
// Make sure a search query was entered.
if($squery == '') {
echo "<p>You didn't enter a search query.</p>";
}
// Strip HTML tags.
$squery = strip_tags($squery);
// Trim white space.
$squery = trim($squery);
// Set minimum query length.
$min_length = 3;
// Make sure query length is more than minimum.
if(strlen($squery) < $min_length) {
echo "<p>The search query you entered is too short. The minimum number of characters is ".$min_length.".</p>";
}
// Connect to MySQL.
// Select database.
// Escape search query.
$squery = mysql_real_escape_string($squery);
// Break query into keywords.
$keywords = explode(' ', $squery);
// Count number of keywords.
$no_of_keywords = count($keywords);
// If just one keyword, then build statement.
if($no_of_keywords == 1) {
$sql = "SELECT whatever
FROM `video_table`
WHERE (col1 LIKE '%.$squery.%' OR col2 LIKE '%.$squery.%')";
}
// If multiple keywords, then build statement.
else {
$sql = "SELECT whatever
FROM `video_table`
WHERE ";
for($i = 0; $i < $no_of_keywords; $i++) {
$sql .= "(col1 LIKE '%.$keywords[$i].%' OR col2 LIKE '%.$keywords[$i].%')";
if($i < $no_of_keywords) {
$sql .= " OR ";
}
}
}
// Run mysql query.
$raw_results = mysql_query($sql, $con);
// Put results into an array for later use.
$results = mysql_fetch_array($raw_results);
Can this code's security be improved?
How can it be altered to provide more relevant results?
Should I omit words such as "to" and "the" from the query? If so, how do I do it?
Should I remove punctuation?
As always, I appreciate your help. You guys have taught me LOADS!
Edited by Fluoresce, 06 November 2014 - 05:21 PM. To execute code on successfully submitting text input, is this "bare minimum" code secure enough?
if(!empty($_POST["textfield_input"])) { ...or is it best to make sure all 4 of these are confirmed:
if (
The html portion is simply: I've searched on the net about this several times, and see different answers, and it looks like each PHP expert has their favorite.... but I would rather know the "best practices" answer to this. Thank you!!
Edited November 5, 2019 by StevenOliver Scenario: My page generates several PHP variables. Some of those variables get posted to another page. Question: If a variable is to be assigned to a Session, is there any reason to assign this value to a regular PHP variable? Example: When an API generates a "shipping label tracking number, which is better, "A" or "B" or subtle variation "C":
A.) ... and then use $_SESSION["trackingNumber"] throughout the rest of my script (like this: echo "Hello, here's your tracking number: ".$_SESSION["trackingNumber"]).
B.) ... and then use "$trackingNumber" throughout the rest of my script (like this: echo "Hello, here's your tracking number: ".$trackingNumber).
C.) ... and then use "$trackingNumber" throughout the rest of my script (like this: echo "Hello, here's your tracking number: ".$trackingNumber). Thank you! I've always wondered about this. Which is best?
Hello all. I'm looking to build a website in php that will be large in scope and I'm looking for some direction as to how to go about coding it. What I'm referring to exactly is the programming model. I'm new to the language, but not to programming, and I've read up on it and familiarized myself with the syntax over the past few days. Normally when I go about building a project I like to plan ahead how I'm going to build It so I don't run into tedious issues later on and this is what I need help with.
My concerns:
I am looking to use the alternative syntax for control structures as to make the php code inside my html readable and easier to manage but in terms of OOP when is it best for me to use classes vs functions?
I am leaning towards using both classes and functions. Classes to handle polling data, sanitizing it and storing it while the functions will be used , with the alternative syntax, to display the data.
How should I go about properly setting my project assuming I will have many concurrent users using the website at once?
Is using xml / INI files as a directory to look up information a good practice? Is it better to declare constant variables instead?
When working with multiple includes is there an easier way to include a file than having to explicity write "dirname( dirname(__FILE__) )" everytime?
I'm essentially looking for guidance / tips as to good programming practices with this language Advanced practices are welcomed as well.
Development Tools:
XAMPP ( Windows 7 Pro )
PHPStorm
Current directory structure plan:
Here is what I currently have:
The API class is a collection of functions that returns an object to be used at a later data.
<?php
/*
* Development API Key
* @since 1.0
*
* Rate Limit(s):
* 10 request(s) every 10 second(s)
* 500 request(s) every 10 minute(s)
*/
define( "__API_KEY__" , "---------------------------------" );
require_once dirname( dirname(__FILE__) ) . "\\settings.php";
class API
{
// If successfull it returns an object from the url that's passed to this function.
private function api_call($url)
{
$result = null; // end result
// Create a new curl handle.
$ch = curl_init();
curl_setopt($ch , CURLOPT_URL, "https://" . $url . "?api_key=" . __RIOT_API_KEY__); // set the URL
curl_setopt($ch , CURLOPT_RETURNTRANSFER , true ); // return the transfer as a string of the return value
curl_setopt($ch , CURLOPT_SSL_VERIFYPEER , false ); // turn off ssl certificate verification
// Execute the api call
$response = curl_exec($ch);
// Get info to analyze the result
$ci = curl_getinfo($ch);
$httpcode = $ci["http_code"];
// If a curl error occured
if(curl_errno($ch) || ($httpcode != "200"))
{
$die = "Curl Error Code: " . $httpcode . "<br/>";
$die .= "Curl Error Message: " . curl_errno($ch) . "<br/>";
$die .= "Curl URL: " . $ci["url"] . "<br/>";
die($die);
} else {
// Check if the api call we made was valid
$response = json_decode($response, true);
// If our response is an array check if it's an error response
if(is_array($response))
{
$error_key = "status";
if(array_key_exists($error_key, $response))
{
$er = $response[$error_key];
$die = "API Error Message: " . $er["message"] . "<br/>";
$die .= "API Error Code: " . $er["status_code"] . "<br/>";
die($die);
}
}
// Our response is a valid object
$result = $response;
}
private function sanitize_url($url)
{
// removes all whitespaces
return trim(preg_replace( '/\s+/','',$url));
}
private function regional_endpoints()
{
static $regionini;
if(is_null($regionini))
$regionini = parse_ini_file(INI_REGIONAL_ENDPOINTS, true);
return $regionini;
}
private function region_host($shortcode)
{
/*
* regionalendpoints.ini
* @since 1.0
*
* [SHORTCODE]
* Description=<region_description>
* Host=<host_url>
*/
return $this->regional_endpoints()[strtoupper($shortcode)]["Host"];
}
public function region_description($shortcode)
{
/*
* regionalendpoints.ini
* @since 1.0
*
* [SHORTCODE]
* Description=<region_description>
* Host=<host_url>
*/
return $this->regional_endpoints()[strtoupper($shortcode)]["Description"];
}
public function api_object_by_name($name, $region)
{
/*
* @Description: Get summoner objects mapped by standardized summoner name for a given list of summoner names.
*
*
* @Returns: Map[string, SummonerDto]
*
* Object
* ------------------------------------------------------------------------------------------------------
* Name Data Type Description
* ------------------------------------------------------------------------------------------------------
* id long ID.
* name string Name.
* profileIconId int ID of the summoner icon associated with the summoner.
* revisionDate long Date summoner was last modified specified as epoch milliseconds.
* Level long Level associated with the summoner.
*/
$api_url = "%s/api/col/%s/v1.4/obj/by-name/%s";
return $this->api_call(sprintf($api_url,
$this->region_host($region),
strtolower($region),
$this->sanitize_url($name)));
}
}
Class that acts as the middle man between the api and the front end. Currently how it is set up it handles an internal queue.
<?php
include dirname(__FILE__) . "\\class-riotapi.php";
define( "SUMMONER_NAME" , 0 );
define( "SUMMONER_ID" , 1 );
class Summoner
{
private $riotapi = null;
private $summoner = null;
private $arr_summoners = null;
private $region = null;
public function __construct()
{
// Create our riot api object
$this->riotapi = new RiotAPI();
}
public function summoner_exists($summoners, $region, $type = SUMMONER_NAME)
{
static $eoa; // end of array
// If our array of summoners is empty or we have reached the end of the array.
if( empty($this->arr_summoners) || $eoa )
{
// Get an array of summoner information from the riot api based on the type of information
// supplied.
switch($type)
{
case SUMMONER_NAME :
$this->arr_summoners = $this->riotapi->api_summoner_by_name($summoners, $this->region = $region);
break;
case SUMMONER_ID :
$this->arr_summoners = $this->riotapi->api_summoner_by_id($summoners, $this->region = $region);
break;
}
// If our array of summoners isn't empty.
if( !empty($this->arr_summoners) )
{
// Set our current summoner the first element in the array.
$this->summoner = reset($this->arr_summoners);
} else {
// We failed to acquire any summoner information so return false.
return false;
}
$eoa = false;
} else {
// If we have not reached the end of the summoners array set our current
// summoner to the next element.
$next = next($this->arr_summoners);
// Have we reached the end of the array?
if( $next ) {
// No. Set our current summoner to the next element.
$this->summoner = $next;
} else {
// Yes. Set our end of array variable to true.
$eoa = true;
// End the loop
return false;
}
}
return true;
}
public function summoner_id()
{
return $this->summoner["id"];
}
public function summoner_name()
{
return $this->summoner["name"];
}
public function summoner_profile_icon_id()
{
return $this->summoner["profileIconId"];
}
public function summoner_last_updated()
{
return $this->summoner["revisionDate"];
}
public function summoner_level()
{
return $this->summoner["summonerLevel"];
}
public function summoner_mastery_pages()
{
return $this->riotapi->api_summoner_masteries($this->summoner_id(),
$this->region)[$this->summoner_id()]["pages"];
}
}
Functions.php file that is a collection of functions that echo out information.
<?php
require_once "settings.php";
include DIR_INCLUDE . "class-summoner.php";
function summoner_exists($summoners, $region = "NA", $type = SUMMONER_NAME)
{
global $cs;
if(!isset($cs)){
$cs = new Summoner();
}
return $cs->summoner_exists($summoners, $region, $type);
}
function summoner_name()
{
global $cs;
if(isset($cs)){
echo $cs->summoner_name();
}
}
?>
index.php - Example of how I'm currently using the functions.php file.
<?php include "functions.php"; ?>
<html xmlns="http://www.w3.org/1999/xhtml">
<body>
<?php while(summoner_exists("cyllo")) : ?>
<div>Summoner Name: <?php summoner_name(); ?></div>
<div>Summoner ID: <?php summoner_id(); ?></div>
<div>Summoner Profile icon ID: <?php summoner_profile_icon_id(); ?></div>
<div>Last Updated: <?php summoner_last_updated(); ?></div>
<div>Summoner Level: <?php summoner_level(); ?></div>
<div>
<?php mastery_pages(); ?>
</div>
<?php endwhile; ?>
</body>
</html>
I have just made a couple of forms that submit data to a mysql database. I was wondering what measures I need to make to in order to keep the whole thing very secure. At the moment I have stripped the inputs of tags and forward slashes. Is there anything else I should do? Also some field in the form allow the user to enter a url. With these fields I have not stripped them of forward slashes. Is this a bad idea? Should I do something like replace the forward slashes with something else and then reverse this process every time I extract that data from the database? hi php freaks I am using pdo as the driver for my new app the issue is I can't seem to find a clear answer. I want to sanise the vars that are coming into the database but pdo is suppose to fix all the issues. Is this true what other things do I need to watch for when using pdo they must have some flaws. Thanks I really have less idea about website security. Yesterday for the first time I learned website hacking and applied that method to my web page. My webpage was completely down after applying that. Q) To free a site from hacking what techniques are followed? Besides "mysql_real_escape_string"ing all the user input what other security strings should you definitely include n your site? I want to create an ADMIN directory with several directory under that. I want to be certain that the user cannot log into any of the directory unless they have confirmed login. Is $_session id's the best way to go? Should I create on the flyer and attached to username? What is the best practice for this? Regards, DED Hi everyone I'm kinda new to PHP and have a couple of questions; 1: How secure is PHP, is it very hackable? Are there things you recommend to make it more secure? 2: I am building a little employee system for staff at a friends company and they can view personal information when they login, as well as ordering stuff with online payment through WorldPay. What is therefore the best and most secure way of handling passwords, logins, data, insert statements etc. I basically want to make it as secure as possible and hopefully learn some new skills Any tips or help would be great Thanks Hi, I am currently working on an Invoice System using PHP and MySQL. However I was just wondering if the system I am using is secure enough. The Client gets a link like this: Code: [Select] mysite.com/?customerid=b3e470c55aad30eb38ee52eec1d8cb52 Each client has a unique "id" I also have an ID for the administrative back-end. I do clean the GET variable before querying the database though. Do I need to secure this with anything else or is this enough, as this is my first time creating anything with PHP and MySQL together. Thanks, mme Hi there, I'm in serious need to find a way to block people from a website I code for. The thing is, we have a jailing system, nice and simple, and IP/email ban system too. But with proxies, advertisers and repeated troublemakers keep coming back because we just get the new proxy IP each time and it's a losing battle. What I need is a way to ban them properly from the site, like somehow stopping the computer they use from accesing the site. someone once said you can use a cookie to stop a browser getting on the site, but I don't know how to set it up to give the cookies out upon login and find the one associated to an account we don't want (by "cookie" banning I guess?") and stop them from logging in. I have been working on a website for some time now. My work is now 95% finished and now I am starting to look at security, as I am using PHP. My webpage uses HTML FORMS. When most of these forms get send back to the server, 50% of the time PHP is inserting the value of the FORM inputs into MySQL. To give a basic run down, I have a newsletter sign up system. "Enter your e-mail address"... and then the user enters their e-mail and submits.. PHP runs a MySQL query to insert that FORM value into the database along the lines of this: Quote insert into newsletters (email) values ('.$POST['email'].') I fear this is very vulnerable to injection attack as it means a trouble maker can come along and enter anything they want into my database, potentially wiping it out. I believe I need to "sanitize" my input with a MySQL "real_escape_string" or something? Is there anything real obvious I should look out for when it comes to PHP security? Is there a way to forbid all strings/arguments except the few I need or something perhaps? Hi, I am looking to create a directory that can not be accessed using .htaccess and neither can files directly. But I want to make it so when you are signed into joomla you can access the files via a mp3 player on the sight. My mp3 extention is joomline player flplayer. And I heard that if I cange the name of the file in joomla fomr lovelove.com/audio/love/abc.mp3 to lovelove.com/audio/love/abc.php?name=abc and then that abc.php script (inside the script it checks if you are logged in) will retrieve the file name, and the joomline will play it it will work. is this possible? Also, if not what can I do for this to work? Right now my script is not working as the joomline looks up all the mp3 files as one big string. this is the abc.php which on my site its calld psp.php
<?php
define( '_JEXEC', 1 );
define( 'JPATH_BASE', realpath(dirname(__FILE__).'/../../' ));
require_once ( JPATH_BASE .'/includes/defines.php' );
require_once ( JPATH_BASE .'/includes/framework.php' );
$mainframe =& JFactory::getApplication('site');
if( !empty( $_GET['name'] ) )
{
// check if user is logged
if(JFactory::getUser()->guest) {
die( "ERROR: invalid song or you don't have permissions to download it." );
}
else {
$psp = preg_replace( '#[^-\w]#', '', $_GET['name'] );
$psp_file = "{$_SERVER['DOCUMENT_ROOT']}/audio/live/{$psp}.mp3";
if( file_exists( $psp_file ) )
{
header( 'Cache-Control: public' );
header( 'Content-Description: File Transfer' );
header( "Content-Disposition: attachment; filename={$psp_file}" );
header( 'Content-Type: application/mp3' );
header( 'Content-Transfer-Encoding: binary' );
readfile( $psp_file );
exit;
}
}
}
?>
then I have joomline player jlplayer
<?php
/**
* JoomLine mp3 player - Joomla mp3 player
*
* @version 1.5
* @package JoomLine mp3 player
* @author Anton Voynov (anton@joomline.ru), Sergii Gaievskiy (shturman.kh@gmail.com)
* @copyright (C) 2010 by Anton Voynov(http://www.joomline.ru)
* @license GNU/GPL: http://www.gnu.org/copyleft/gpl.html
*
* If you fork this to create your own project,
* please make a reference to JoomLine someplace in your code
* and provide a link to http://www.joomline.ru
**/
defined('_JEXEC') or die('Restricted access');
function ascii2hex($ascii, $reverse = false) {
$hex = array();
for ($i = 0; $i < strlen($ascii); $i++) {
$byte = strtoupper(dechex(ord($ascii{$i})));
$byte = str_repeat('0', 2 - strlen($byte)).$byte;
$hex[] = $byte;
}
if ($reverse) $hex = array_reverse($hex);
return implode(" ",$hex);
}
function read_frame (&$f, &$tagdata, $frame) {
$pos = strpos($tagdata,$frame);
if ( $pos !== FALSE) {
// frame found. read length of this frame
fseek($f, 10+$pos+4);
$frame2len = hexdec(ascii2hex(fread($f,4)));
if (($frame2len-1) > 0) {
// read frame data
fseek($f, 10+$pos+4+2+4+1);
$data = trim(fread($f,$frame2len-1));
$hexfdata = ascii2hex($data);
if ( substr($hexfdata,0,5) == 'FF FE' or substr($hexfdata,0,5) == 'FE FF' ) {
$data = iconv("UCS-2","UTF-8",$data);
} else {
if (!preg_match('//u', $data)) {
$data = iconv("cp1251", "UTF-8",$data);
}
}
return $data;
} else {
return false;
}
} else {
return false;
}
}
function readmp3tag($file) {
$f = fopen($file, 'rb');
rewind($f);
fseek($f, -128, SEEK_END);
$tmp = fread($f,128);
if ($tmp[125] == Chr(0) and $tmp[126] != Chr(0)) {
// ID3 v1.1
$format = 'a3TAG/a30NAME/a30ARTISTS/a30ALBUM/a4YEAR/a28COMMENT/x1/C1TRACK/C1GENRENO';
} else {
// ID3 v1
$format = 'a3TAG/a30NAME/a30ARTISTS/a30ALBUM/a4YEAR/a30COMMENT/C1GENRENO';
}
$id3v1tag = unpack($format, $tmp);
// read tag length
fseek($f, 8);
$tmp = fread($f,2);
$tmp = ascii2hex($tmp);
$taglen= hexdec($tmp);
$tagdata = "";
if ($taglen > 0) {
//read tag data
fseek($f, 10);
$tagdata = fread($f,$taglen);
}
// find song title frame
$title = read_frame ($f, $tagdata, "TIT2");
if (!$title) {
if ($id3v1tag['TAG']== 'TAG' && ascii2hex(substr($id3v1tag['NAME'],0,1)) != '00' ) {
$title = $id3v1tag['NAME'];
} else {
$title = explode(DS,$file);
$title = $title[count($title)-1];
$title = explode('.',$title);
$title=$title[0];
}
if (!preg_match('//u', $title)) $title = iconv("cp1251", "UTF-8",$title);
}
$artist = read_frame ($f, $tagdata, "TPE1");
if (!$artist) {
if ($id3v1tag['TAG']== 'TAG' && ascii2hex(substr($id3v1tag['ARTISTS'],0,1)) != '00') {
$artist = $id3v1tag['ARTISTS'];
} else {
$artist = "";
}
}
if (!preg_match('//u', $artist)) $artist = iconv("cp1251", "UTF-8//TRANSLIT",$artist);
$id3tag['NAME'] = $title;
$id3tag['ARTIST'] = $artist;
return $id3tag;
}
if (DS == "/")
$dir = str_replace("\\",DS,$music_dir);
else
$dir = str_replace("/",DS,$music_dir);
$dir = JPATH_ROOT.DS.$dir;
if (!is_dir($dir)) {
echo "Wrong dir in settings";
} else {
$files = glob($dir.DS."*.{mp3,MP3}",GLOB_BRACE);
if (count($files) > 0) {
sort($files);
$host = $base_uri;
foreach ($files as $file) {
$tags = readmp3tag($file);
$file = explode (DS, $file);
if ($server_utf8 == 1) {
$fname = rawurlencode($file[count($file)-1]);
} else {
$fname = rawurlencode($file[count($file)-1]);
}
$fname = substr($fname, 0, -4);
$file = $host."/".$music_dir."/psp.php?name=".$fname;
echo $file;
$artist = trim($tags['ARTIST']);
$artist = $artist == "" ? "" : "{$tags['ARTIST']} - ";
$playlist[] = '{name:"'.$artist.$tags['NAME'].'",mp3:"'.$file.'"}';
}
}
/*
*
//if(!window.jQuery) {
document.write(unescape('<script type="text/javascript" src="<?=$base_uri?>/modules/mod_jlplayer/js/jq.js">%3C/script%3E'));
document.write(unescape('<script type="text/javascript">jQuery.noConflict();%3C/script%3E'));
//}
*
*/
?>
<script type="text/javascript">
var myPlayList = [
<?php
echo implode(",\n ",$playlist)."\n";
?>
];
Array.prototype.find=function(v){
for (i=0;i<this.length;i++){
if (this[i]==v) return i;
}
return 0;
}
var plIndex = [];
for (i=0;i<myPlayList.length;i++) {
plIndex[i] = i;
}
<?php if ($shfl == 1) : ?>
//shuffle
function randOrd(){
return (Math.round(Math.random())-0.5);
}
plIndex.sort(randOrd);
<?php endif; ?>
function setCookie (name, value) {
document.cookie = name + "=" + escape(value) + "; expires=Thu, 01-Jan-2055 00:00:01 GMT; path=/";
}
function getCookie(name) {
var cookie = " " + document.cookie;
var search = " " + name + "=";
var setStr = null;
var offset = 0;
var end = 0;
if (cookie.length > 0) {
offset = cookie.indexOf(search);
if (offset != -1) {
offset += search.length;
end = cookie.indexOf(";", offset)
if (end == -1) {
end = cookie.length;
}
setStr = unescape(cookie.substring(offset, end));
}
}
return(setStr);
}
function changeShflStatus(el) {
nowPlay = plIndex[playItem];
if (el.checked) {
setCookie("jlp_shfl","shuffle");
plIndex.sort(randOrd);
} else {
setCookie("jlp_shfl","notshuffle");
plIndex.sort();
}
playItem = plIndex.find(nowPlay);
}
</script>
<script type="text/javascript" src="<?=$base_uri?>/modules/mod_jlplayer/js/jq.js"></script>
<script type="text/javascript">jQuery.noConflict();</script>
<link href="<?=$base_uri?>/modules/mod_jlplayer/skin/skin.css" rel="stylesheet" type="text/css" />
<script type="text/javascript" src="<?=$base_uri?>/modules/mod_jlplayer/js/jquery.jplayer.min.js"></script>
<script type="text/javascript">
var playItem = 0;
jQuery(function(){
var jpPlayTime = jQuery("#jplayer_play_time");
var jpTotalTime = jQuery("#jplayer_total_time");
var jlp_shfl = getCookie("jlp_shfl");
if (jlp_shfl == "shuffle") {
document.getElementById('jlp_shfl').checked = true;
} else if (jlp_shfl == "notshuffle") {
document.getElementById('jlp_shfl').checked = false;
}
jsuri = baseuri+"/modules/mod_jlplayer/js/";
jQuery("#jquery_jplayer").jPlayer({
ready: function() {
displayPlayList();
playListInit(enable_autoplay); // Parameter is a boolean for autoplay.
},
errorAlerts:true,
warningAlerts:true,
swfPath: jsuri
})
.jPlayer("onProgressChange", function(loadPercent, playedPercentRelative, playedPercentAbsolute, playedTime, totalTime) {
jpPlayTime.text(jQuery.jPlayer.convertTime(playedTime));
jpTotalTime.text(jQuery.jPlayer.convertTime(totalTime));
})
.jPlayer("onSoundComplete", function() {
playListNext();
});
jQuery("#jplayer_previous").click( function() {
playListPrev();
return false;
});
jQuery("#jplayer_next").click( function() {
playListNext();
return false;
});
});
function displayPlayList() {
for (i=0; i < myPlayList.length; i++) {
jQuery("#jplayer_playlist").append("<div id='jplayer_playlist_item_"+i+"'>"+ myPlayList[i].name +"</div>");
jQuery("#jplayer_playlist_item_"+i).data( "index", i ).click( function() {
var index = jQuery(this).data("index");
if (plIndex[playItem] != index) {
_index = plIndex.find(index);
playListChange( _index, index );
} else {
jQuery("#jquery_jplayer").jPlayer("play");
}
});
}
}
function playListInit(autoplay) {
if(autoplay) {
playListChange(0, plIndex[0] );
} else {
playListConfig(0, plIndex[0] );
}
}
function playListConfig(_index, index ) {
jQuery("#jplayer_playlist_item_"+plIndex[playItem]).removeClass("jplayer_playlist_current");
jQuery("#jplayer_playlist_item_"+index).addClass("jplayer_playlist_current");
playItem = _index;
jQuery("#jquery_jplayer").jPlayer("setFile", myPlayList[plIndex[playItem]].mp3);
}
function playListChange(_index, index ) {
playListConfig(_index, index );
jQuery("#jquery_jplayer").jPlayer("play");
}
function playListNext() {
var _index = (playItem+1 < myPlayList.length) ? playItem+1 : 0;
var index = plIndex[_index];
playListChange(_index, index );
}
function playListPrev() {
var _index = (playItem-1 >= 0) ? playItem-1 : myPlayList.length-1;
var index = plIndex[_index];
playListChange(_index, index );
}
</script>
<?php include_once(JPATH_ROOT.DS.'modules/mod_jlplayer/skin/tpl.php'); ?>
<?php
}
I was messing around in there with $file
if ($server_utf8 == 1) {
$fname = rawurlencode($file[count($file)-1]);
} else {
$fname = rawurlencode($file[count($file)-1]);
}
$fname = substr($fname, 0, -4);
$file = $host."/".$music_dir."/psp.php?name=".$fname;
echo $file;
I am unsure how to retreive a file title only, with out the whole path, just the name and not even the file ext.It comes up with all the files names in the echo. Also I am not sure how joomline chooses just one file. I am not a php designer and I am quite confused lol Any help would be appreciated! Thank you. Hey, so basically this is what im trying to do: I'm writing an mp3 store, and want the user to be able to play the whole track before purchase. Currently all the music files are in a protected folder with permissions set so access isnt possible. The mp3 player calls play.php?fid=encryptedfileid rather than the direct music link. This is all working perfectly. The bit i am now stuck on is stopping the users going to play.php?fid=encryptedfileid directly and downloading the mp3 directly. How do I make it so the server can execute the play.php file, but the user cannot? I attempted to set a cookie in play.php and deny access if cookie was present, however the server also set the cookie, so this didnt work. See play.php code (in this example, fid is just the filename, but it will be more encrypted, calling to a special md5 hash, albumid and artistid). <?PHP // Define the path to file $filename=$_GET[fid]; $file = "music/$filename.mp3"; if(!$file) { // File doesn't exist, output error die('file not occupied'); } elseif(!file_exists($file)) { die('Error: File not found.'); } else { // Set headers header("Cache-Control: public"); header("Content-Description: File Transfer"); header("Content-Disposition: attachment; filename=$file"); header("Content-Type: application/octet-stream"); header("Content-Transfer-Encoding: binary"); // Read the file from disk readfile($file); } ?> So to clarify, I need the server to access and execute this script with the mp3 player (simple javascript player) and the server not be able to visit play.php?fid=xxx directly to download. Thanks |
|||||||