secure flash player

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • MissFireCrotch
    Confirmed User
    • Jun 2007
    • 187

    #1

    secure flash player

    Currently i am using jeroenwijering flash player, but this exposes the file url of flv files. Does anyone know of a more secure player that can hide the url's of flv files? Right now I am using js to protect it alittle by creating the player dynamically. I know that you can not stop ripping completely but you can stop 50% of the people that just look at page sources.

    I tried a php file such as:
    PHP Code:
    $file = "/video/" . $_GET["file"];
    
    $fh = fopen($file,"rb");
    
    while (!feof($fh))
    {
    header("Cache-Control: no-store, must-revalidate");
    header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
    header("Content-Type: video/x-flv");
    header('Content-Length: ' . filesize($file));
    print(fread($fh, filesize($file)));
    }
    
    fclose($fh); 
    
    by calling "file=script.php?file=foo.flv

    but this made my browser crash (firefox) and server resources sky rocket!
    Need some web dev? Contact ME
    ICQ - 366621126
  • gwkg
    Confirmed User
    • Dec 2006
    • 179

    #2
    $file should probably be the absolute path to the folder

    something like

    $file = "home/wwwroot/public_html/video/"

    Comment

    • gwkg
      Confirmed User
      • Dec 2006
      • 179

      #3
      actually you should put the .flv files outside of the public_html directory so they are not accessible from the web.

      Comment

      • MissFireCrotch
        Confirmed User
        • Jun 2007
        • 187

        #4
        ok this is what i have now:
        flv files are located outside my webroot
        the file path is '/home/username/movies/'

        the code in stream.php is:
        PHP Code:
        $file = "/home/username/movies/" . $_GET["file"];
        
        $fh = fopen($file, "rb") or exit("Could not open $file"); 
        header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
        header("Cache-Control: no-store, must-revalidate");
        header("Content-Type: video/x-flv");
        header('Content-Length: ' . filesize($file));
        while (!feof($fh))
        {
        print(fread($fh, 10000));
        }
        fclose($fh); 
        
        ok now if i do www.mysite com/stream.php?file=test.flv
        my browser will download the file only named stream.php
        which is correct, its able to get the file. I dont know if there is a problem that it could be returning as a .php file and the player will not play it?

        but if i try to play it in the flash player it just sits there with the flash logo going, like its trying to find the file.

        the code for the player that i am loading is:
        PHP Code:
        <div id="player">
        <embed id="mpl" width="320" height="260" flashvars="file=stream.php?file=p1.flv" allowfullscreen="false" quality="high" name="mpl" src="movieplayer/mediaplayer.swf" type="application/x-shockwave-flash"/>
        </div> 
        
        and once again this is the jeroenwijering player.

        that site seems to be down or i would be there too.
        Need some web dev? Contact ME
        ICQ - 366621126

        Comment

        • divine116
          Confirmed User
          • May 2007
          • 1152

          #5
          thanks for the info!
          Sexy Woman Upskirt Voyeur Web Developing Affordable SEO Services

          Comment

          • MissFireCrotch
            Confirmed User
            • Jun 2007
            • 187

            #6
            ok i have my player working with stream.php?file=video.flv This works and well. The files are located outside my web root so only this script will be able to access them. But how do i protect this script so that people dont just put that in the url line and are able to dl my movie?

            i have tried:
            Code:
            if (!$_SERVER['HTTP_REFERER']){
            print "This page can't be accessed directly. Please click back to start over.";
             }
            and

            Code:
            if (!defined("Something_was_defined_on_previous_page"))
            {
               die ("Don't waste your time trying to access this file");
            }
            and neither one works. stream.php will only respond with what it should be responding when the script is accessed directly on the url.
            Need some web dev? Contact ME
            ICQ - 366621126

            Comment

            • ASACP Cal
              Registered User
              • Jun 2007
              • 6

              #7
              This is an interesting question.

              With the first example if $_SERVER['HTTP_REFERER'] doesn't evaluate to whatever php thinks of as false it won't work. If you tested for a specific refererrer it might however. One way to do this where there may be many possible "right" answers would be to use a regular expression:

              if (!preg_match('#^http:/+mydomain.com#',$_SERVER['HTTP_REFERER'])) die("can't view this link directly!");

              I'm wondering if apache config could be doctored in some way to prevent this eg using mod_rewrite.
              MySQL | Perl | PHP Developer cal [@] asacp [.] org

              Comment

              • MissFireCrotch
                Confirmed User
                • Jun 2007
                • 187

                #8
                well after some testing by echoing out $_SERVER['HTTP_REFERER'] and others, there is no http_referer at least stream.php does not see one! i am kinda lost with this. the only other thing that i know to do would be to create key like db entries per users ip address that has a timeout limit set to it. say grab the time and user ip, encode that, throw it in the db. then when calling stream.php pass the users ip and compare that to the encoded db entry and compare the time thats with it and do a compare. say it was inserted into the db 5 mins ago is ok, 6 mins no timeout if thats ok stream.php passes the video file.
                Need some web dev? Contact ME
                ICQ - 366621126

                Comment

                • gwkg
                  Confirmed User
                  • Dec 2006
                  • 179

                  #9
                  You could use a session id.

                  Create the original page with php and pass the session id through the link calling the flash file

                  stream.php?flash.flv&id=SDFJSFOIW$WH

                  then have stream php check the session id passed to the one being used for the current session. If it matches create the flv and pass it.

                  Comment

                  Working...