I am not a PHP master at all, but I was a front-end web designer some years back. I created a page that plays MP3s using this audio player. I want to prevent users from downloading the MP3 files directly, so I put them outside of the document root and used this script to load the file using PHP. The problem is that anyone can enter the URL the script uses to call the file into a browser to download the MP3.
I tried placing a variable on the PHP page that is calling the MP3 and then telling the file calling script that if the variable doesn't match, then to redirect user back to the home page. So if user puts the URL the script uses to call the file into a browser they will just redirected back to the home page. The redirect works, but the PHP page with the actual variable present doesn't seem to work in allowing the PHP script to call the MP3 when the variable is present.
Is there a better way to go about this? I am very very novice with PHP.
You need some sort of user authentication.
For example, you can generate random tokens (something complex) for users (that have usernames or IDs) and make the users send their tokens and IDs with the request of the song.
Prior to your code that does the mp3 streaming, you check if the combination of the token and ID is a match and in fact it exists in the database. If so, you allow to proceed with the streaming/download of the mp3.