[thelist] Preventing direct access while allowing PHP script access
kasimir-k
evolt at kasimir-k.fi
Tue Mar 28 00:24:27 CST 2006
>> I have a bunch of SWF files, just say at "http://www.domain.com/swf/".
>> Now, I want my PHP script, eg, something like
>> "http://www.domain.com/swf_me_up.php?filename=someswf" to be able to
>> access these, obviously. However, I want to prevent people from simply
>> typing in something like "http://www.domain.com/swf/someswf.swf" and
>> accessing it directly (mainly because I want to extract money from
>> them first, *rubs mercenarious hands*).
Ricky Zhou scribeva in 27/03/2006 22:37:
> Wow, I'm surprised that nobody has mentioned this, but why can't you
> just place the flash in a non-web directory and print it out through a
> PHP script (to check permissions)?
> I've never used PHP myself, but I believe you can use the header function:
> header('Content-type: application/x-shockwave-flash');
> Then just print the contents of the file.
This depends a bit... on the other hand, any password protection would
do - people would have to pay to get one, and after that it doesn't
really matter if they access the swf's directly (or get a copy of if
from the browser's cache) (and for this it would not be necessary to run
it through PHP).
But if there is need to disable all direct requests to the swf, then
this would not suffice. On the page there is something like:
<embed src="/print/me/swf-file.php">
When the browsers encounters this, it makes an HTTP request for
/print/me/swf-file.php. But it is also possible to make same request
directly, i.e. typing the URL in the address bar - this would give the
swf, and it doesn't make it any different, that it's been printed
through PHP. What PHP must do is tell direct requests apart from the
requests initiated by the src attribute of <embed>.
And as the visitor can always see the src of <embed>, copy it and paste
in the address bar, the only way prevent direct access is to use one-off
URLs.
But then again, I don't really see the point of the whole exercise...
the swf will anyway end up in the browser's cache, and visitors may copy
it from there. In this case too the old truth applies: if you let people
access something on the web, then people will be able to access it...
May sound obvious, but apparently is not... If you let people access a
swf using /swf_me_up.php?filename=someswf, then people can access it -
and once the permission is granted, trying to control how they do it is
quite laborious and somewhat futile. If you want to charge them, do that
before they get to /swf_me_up.php?filename=someswf, not after.
.k
More information about the thelist
mailing list