How do I protect against users directly downloading my HTML videos using PHP

Question

1.00/5 (1 vote)

See more:

I am attempting to develop a video-streaming website (for learning purposes) in PHP, utilizing the HTML5 video element.

The only problem with the HTML5 video element is that it is incredibly insecure. It allows the user to directly see the video source if they inspect the element.

I would like to protect against this. I came across this answer, and attempted to protect using that code (but it never worked, and I got the error:

Using an empty Initialization Vector (iv) is potentially insecure and not recommended

)

So, I went ahead and created my own version (but I get a 404 error in the console for the video).

What I have tried:

view.php:

PHP

<?php
    $dbh->query("INSERT INTO vpt_tokens (video_id, vpt) VALUES (abcd, 1234)");
?>
<video src="/intrapics/stream.php?m=abcd&vpt=1234"></video>

stream.php:

PHP

if(!isset($_GET["vpt"]) || trim($_GET["vpt"]) === ""){
    header("HTTP/1.0 404 Not Found");
} else {
    $check = $dbh->query("SELECT vpt FROM vpt_tokens WHERE video_id = abcd AND vpt = " . $_GET["vpt"]); // please note that I do actually use prepared statements, this is just simplified
    if(!$check->rowCount()){
        header("HTTP/1.0 404 Not Found");
    } else {
        $file = "player/" . $_GET["m"] . ".mp4";
        if(file_exists($file)){
            header("Content-type: video/mp4");
        }
        echo file_get_contents($file);
        $dbh->query("DELETE FROM vpt_tokens WHERE vpt = " . $_GET["vpt"]);
    }
}

Posted 17-Jun-17 23:03pm

Member 13265453

Updated 18-Jun-17 22:05pm

v2

Add a Solution

Comments

Kornfeld Eliyahu Peter 18-Jun-17 5:23am

All those missing parenthesis are typos or real?

Member 13265453 19-Jun-17 4:04am

Typos :) I had to convert my code from using my OOP classes to the usual vanilla PHP.

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Dave Kreskowiak · Answer 1 · 2017-06-18T03:56:00

Simple. You don't. You're not encrypting the video. You're just making it more complicated to get at the video with a scrambled URL. The problem there is the URL doesn't change for each download of the video and is easily intercepted anyway.

Think about this for a second. The HTML5 tag cannot play "encrypted" video. No matter what, the content must be decrypted before the tag can play it. In order to decrypt it you have to put the decrypted content somewhere where the HTML5 tag can get at it. This opens the content up to be downloaded by anything.

You would need to write your own player that decrypts on the fly but even then, you've got a problem, protecting the key to decrypt the content. Again, someone can use the key to decrypt the content.