[thelist] Preventing direct access while allowing PHP script access

kasimir-k evolt at kasimir-k.fi
Mon Mar 27 08:03:37 CST 2006

> I have a bunch of SWF files, just say at "http://www.domain.com/swf/".
> Now, I want my PHP script, eg, something like
> "http://www.domain.com/swf_me_up.php?filename=someswf" to be able to
> access these, obviously.

You must remember that the swf file is linked to from the page 
swf_me_up.php, so the browser must make a HTTP request for it.

> However, I want to prevent people from simply
> typing in something like "http://www.domain.com/swf/someswf.swf" and
> accessing it directly (mainly because I want to extract money from
> them first, *rubs mercenarious hands*).

So your problem becomes how to tell direct access requests from the 
requests initiated by page swf_me_up.php.

> I would've thought this would be quite a common desire, but I can't
> seem to find any ideas on how to achieve it. Plenty of examples of how
> to prevent "hotlinking", but evidently while this also concerns me,
> it's HTTP requests from my *own* domain that's the worry at the
> moment!

Another important thing to realize is that the requests do *not* 
originate from your (or any) domain - they originate from the user agent 
(the browser).

You could check the Referer header:
But that is very unreliable.

Another option would be hiding the real name of the swf file, and use 
some sort of one-off aliases. When swf_me_up.php?filename=someswf is 
requested, PHP first creates an unique token and uses that in the URI 
for the swf, like FC63PJY2F3SW840O.swf, and then it updates the 
.htaccess in /swf (assuming Apache here) with a rewrite
RewriteRule FC63PJY2F3SW840O.swf  someswf.swf

You could use a database with this instead off updating the .htaccess 
every time. So if you have 16 char ids, you'd have in your .htaccess
RewriteRule (\w{16})\.swf giveSwf.php?id=$1

And giveSwf.php reads from the DB what swf file goes with given id, 
serves that (maybe using PHP's readfile()) and removes the row from the 
DB, so that the same token/id can not be used again.

swf_me_up.php should not be cached - otherwise stale tokens/ids come 
into picture. This you can take care with correct response headers.


More information about the thelist mailing list