[thelist] Preventing direct access while allowing PHP script access

kasimir-k evolt at kasimir-k.fi
Tue Mar 28 00:24:27 CST 2006

>> I have a bunch of SWF files, just say at "http://www.domain.com/swf/".
>> Now, I want my PHP script, eg, something like
>> "http://www.domain.com/swf_me_up.php?filename=someswf" to be able to
>> access these, obviously. However, I want to prevent people from simply
>> typing in something like "http://www.domain.com/swf/someswf.swf" and
>> accessing it directly (mainly because I want to extract money from
>> them first, *rubs mercenarious hands*).

Ricky Zhou scribeva in 27/03/2006 22:37:
> Wow, I'm surprised that nobody has mentioned this, but why can't you
> just place the flash in a non-web directory and print it out through a
> PHP script (to check permissions)?
> I've never used PHP myself, but I believe you can use the header function:
> header('Content-type: application/x-shockwave-flash');
> Then just print the contents of the file.

This depends a bit... on the other hand, any password protection would 
do - people would have to pay to get one, and after that it doesn't 
really matter if they access the swf's directly (or get a copy of if 
from the browser's cache) (and for this it would not be necessary to run 
it through PHP).

But if there is need to disable all direct requests to the swf, then 
this would not suffice. On the page there is something like:
<embed src="/print/me/swf-file.php">
When the browsers encounters this, it makes an HTTP request for 
/print/me/swf-file.php. But it is also possible to make same request 
directly, i.e. typing the URL in the address bar - this would give the 
swf, and it doesn't make it any different, that it's been printed 
through PHP. What PHP must do is tell direct requests apart from the 
requests initiated by the src attribute of <embed>.

And as the visitor can always see the src of <embed>, copy it and paste 
in the address bar, the only way prevent direct access is to use one-off 

But then again, I don't really see the point of the whole exercise... 
the swf will anyway end up in the browser's cache, and visitors may copy 
it from there. In this case too the old truth applies: if you let people 
access something on the web, then people will be able to access it...

May sound obvious, but apparently is not... If you let people access a 
swf using /swf_me_up.php?filename=someswf, then people can access it - 
and once the permission is granted, trying to control how they do it is 
quite laborious and somewhat futile. If you want to charge them, do that 
before they get to /swf_me_up.php?filename=someswf, not after.


More information about the thelist mailing list