0

I am currently working on a project that uploads audio and video files. I have no problem with the upload part. My challenge now is how to prevent streaming of the MP3 files The files are uploaded on a folder and the path to the file is stored in MySQL DB. Below is my download code.

<?php
include "db.php";
$categ="all";
$categ=$_GET['categ'];
if($categ=="all"){
$q="select * from upload_data";
}
else{
$q="select * from upload_data where CATEGORY='$categ'";
}
$result=mysql_query($q);
while($rs=mysql_fetch_array($result)){
echo "
 <tr>
<td width='1%'>".$rs['FILE_ID']."</td>
<td width='20%'>".$rs['FILE_NAME']." 
<br/>".$rs['FILE_SIZE']." KB
<br/><a href='".$rs['PATH']."'><button class='btn btn-primary'>Download<i class='icon-download-alt icon-white'></button></a></td>";
}
?>

Any help will be greatly appreciated.

Onwu Bishop Gideon
  • 98
  • 8
  • Can MP3's be included as a link in `` tags to make them downloadable, similar to files? – Lewis Mar 14 '16 at 16:10
  • 3
    **Danger**: You are using [an **obsolete** database API](http://stackoverflow.com/q/12859942/19068) and should use a [modern replacement](http://php.net/manual/en/mysqlinfo.api.choosing.php). You are **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that a modern API would make it easier to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. – Quentin Mar 14 '16 at 16:12
  • @Lewis — They are files. – Quentin Mar 14 '16 at 16:12
  • My bad, I meant similar to PDFs and .DOCs rather than files as a whole. I know MP3 is considered multimieda and as such, the browser tries to stream rather than download - @OnwuBishopGideon anyways, they describe a method of how to do it here http://w3schools.invisionzone.com/index.php?showtopic=27872 – Lewis Mar 14 '16 at 16:13
  • 1
    What @Quentin said. If you accept any user-supplied data and assemble a string that is used in a SQL query, your database **will** be hacked: all data retrieved, deleted or changed. – BryanH Mar 14 '16 at 16:14
  • Set header `Content-Disposition: attachment; filename="filename.mp3"`. You can add attribute `download` on your `` too. Also, as others pointed out - get rid of that awful SQL injection you've got there. – Przemek Mar 14 '16 at 16:24
  • Thanks everyone for your observations so far. I have tried using content-disposition but it downloads the page instead. – Onwu Bishop Gideon Mar 15 '16 at 10:39
  • @OnwuBishopGideon: You need to set it in document residing in `$rs['PATH']`, not the above code. Or you can use `download` attribute on ``, as I've mentioned above (won't work on all browsers). – Przemek Mar 15 '16 at 13:55

1 Answers1

-2

You should probably analyze request headers and block those requests that contain 'Transfer-Encoding: chunked'

Nikolai Shevchenko
  • 7,083
  • 8
  • 33
  • 42
  • Thank you all for your suggestions. I was able to solve it by adding this line of code to my .htaccess ForceType application/octet-stream Header set Content-Disposition attachment – Onwu Bishop Gideon Mar 24 '16 at 08:51