Prevent and Profit from VIDEO hotlinking.

[SmokeyTheBear]

ok heres a simple way , feel free to modify it.. if you know of any other tricks , feel free to let me know

Save the following as index.php and put it in a folder with your videos

Code:

<?php
$mov = $_GET['x'];

echo "<center>Add an advertisement here - dont use quotes<br><embed src=$mov.wmv></embed>";
?>

( if your using mpg/avi videos change the code to mpg/avi in both files)

ok now make a new folder in your main directory, save the following as .htaccess ( modify the url to point to the directory with your videos )

Code:

Options +FollowSymlinks
 RewriteEngine on
 RewriteRule ^(.*)\.wmv http://yoursite.com/videos/index.php?x=$1 [nc]

ok now what this will do is , when you call a video or someone hotlinks a video it will call the video and display it in an html page so you can add advertising and such..

Now keep in mind this doesnt actually prevent hotlinking all it does is rewrite the request to a different folder , so if you try to get http://yourserver.com/protected/video.wmv it would get the video from a different folder and write it into an html file.. the end video is still unprotected , so if someone views source of the html they can simply get the redirected movie url

BUT heres what you do.. you can simply rename the folder with your protected videos then change the .htaccess file to reflect that every so often , you dont have to change any of your links as they will just be redirected to the new folder without any changes on your part

synopsis.

If you normally had a link like http://yourserver.com/1/video.wmv it will rewrite it as http://yourserrver.com/2/video.wmv , embed it in a page so you can add advertising , if the hotlinkers ever find where the true video resides you can simply rename the destination folder without having to change any exisiting links on your page , (i.e. you can link using http://yourserver.com/1/video.wmv and never have to change it regardless of where the real videos reside )

[Juicy D. Links]

bumpooooooooooooo

[Manowar]

good stuff smokey

[fris]

ya video hotlinking you will need actual software or write your own module. cause when linking videos sometimes it sends blank refer, fake refer, or anything different with images, i pay for antihotlinking.com great software.

[SmokeyTheBear]

Quote:

Originally Posted by fris

ya video hotlinking you will need actual software or write your own module. cause when linking videos sometimes it sends blank refer, fake refer, or anything different with images, i pay for antihotlinking.com great software.

this is true..

With this method though you get the added benefit from people that "think" they are hotlinking your videos but they are actually helping you make some profit.. and it works about the same way as true anti-hotlinking methods other than you have to do a little modification every now and then to keep the clever people away

[u-Bob]

or you could do some crazy shit with swf + php + flv + cookies + some js.

[woj]

you can do similar setup to turn jpegs into jpegs on html

[SmokeyTheBear]

p.s. thehun likely wont accept a gallery using this anti-hotlink method because the script wont be able to detect if theres actual movies on the gallery ( because the requests would be handled by the php file ) ..

You could still use this method though by changing the php to redirect directly to the video instead of creating an html page to ebmed it into. This way your gallery will still get accepted.. ( you would then be just as prone to hotlinking, BUT you can change the destination video folder with one line of code instead of changing all the html files..

example if i made 200 hun galleries and each one had 4 videos on it.. like < a href=http://yoursite.com/hotlink/1-a.wmv>1</a>

the real video would be in http://yoursite.com/differentfolder/1-a.wmv redirected using the htaccess , now if people started hotlinking your vids you simply change the destination folder to yoursite.com/newfolder, then change the 1 line of htaccess and you dont have to change 800 links on all the html pages.. its done with one simple edit.

[SmokeyTheBear]

Quote:

Originally Posted by woj

you can do similar setup to turn jpegs into jpegs on html

or any file for that matter , flash files etc..

[sfera]

cool stuff man

[SmokeyTheBear]

so if you wanted to get your galleries listed on the hun and cant use the above method because the script doesnt allow. then it use this.

If people start hotlinking the videos , all you have to do is rename the folder with the videos and change this one php line to reflect the new folder name , without having to change the html in the galleries

Code:

<?php
$mov = $_GET['x'];
header("Location: http://yoursite.com/realvideofolder/$mov.wmv");
?>

p.s. you would use the same htaccess from above as well.

[BlingDaddy]

Wicked info.

[austinth]

smokey is one of the few posters here that actually has incredible info and tips to share. Thanks Smokey!!

[austinth]

your last cloaking code works very well!

[SmokeyTheBear]

p..s. if anyone needs some help or modification feel free to hit me up on icq and i will walk you through it, its very simple , i'm not always on , but if i'm not doing anything im glad to help..

[SmokeyTheBear]

Quote:

Originally Posted by austinth

smokey is one of the few posters here that actually has incredible info and tips to share. Thanks Smokey!!

hey thanks a bunch man , its nice to know people appreciate it..

[chase]

Awesome! Where's Hal with his Flash of Fucking Brilliance award?

[Rui]

Great stuff one of the best GFY threads of 2006 ;)

[4Pics]

Isn't the $_GET part bad for security?

I can pass whatever I want to the variable.

[4Pics]

like blah x=http://www.spywaresite.com/?.wmv

so when you add the ? it pretty much ignores the .wmv right?

[SmokeyTheBear]

Quote:

Originally Posted by 4Pics

Isn't the $_GET part bad for security?

I can pass whatever I want to the variable.

This is true im new at php

change the abopve code to the following to be more secure

Code:

<?php
$mov = $_GET['x'];
$mov = strip_tags($mov);
echo "<center>add any html here dont use double quotes<embed src=$mov.mpg></embed>";
?>

[SmokeyTheBear]

Code:

<?php
$mov = $_GET['x'];
$mov = strip_tags($mov);
$url = "http://yoursite.com/header.html";
$html = file_get_contents($url);
echo "$html<br><center><embed src=$mov.mpg></embed>";
?>

heres a better version .. this way you can just add a header to every video , put whatever html you want in the header page and it will be put above the video.. so you can customize the output page a little better

[Jace]

smokey, I love that you are learning html man....you have been posting some cool shit lately with your new knowledge

I can't wait to see what you will be doing in a years time with it

[Brujah]

Smokey, just some info to pass along, in case you're interested.

You can look into preg_match to clean variables or test them also. Will come in especially handy if you learn regex's or know a little about them already.

www.php.net/preg_match

Code:

So then: page.php?test=filename.mpg would pass
but page.php?test=`cat /etc/passwd`;etc..whatever-movie.mpg would fail.

Code:

if( !preg_match('/^([A-Z0-9\ \-]+)\.mpg$/i',$_GET['test'],$m) ) {
        print '<span style="color:red">Test Failed. Not Allowing.</span>';
} else {            
        print '<span style="color:blue">Passed</span>: '.$m[0];            
}

[Spunky]

Thanks for the tip man

[fris]

Quote:

Originally Posted by woj

you can do similar setup to turn jpegs into jpegs on html

i am looking for that solution on an opendir. cant seem to get it working.

[SmokeyTheBear]

Quote:

Originally Posted by Brujah

Smokey, just some info to pass along, in case you're interested.

You can look into preg_match to clean variables or test them also. Will come in especially handy if you learn regex's or know a little about them already.

www.php.net/preg_match

Code:

So then: page.php?test=filename.mpg would pass
but page.php?test=`cat /etc/passwd`;etc..whatever-movie.mpg would fail.

Code:

if( !preg_match('/^([A-Z0-9\ \-]+)\.mpg$/i',$_GET['test'],$m) ) {
        print '<span style="color:red">Test Failed. Not Allowing.</span>';
} else {            
        print '<span style="color:blue">Passed</span>: '.$m[0];            
}

Thanx im a little new to php , since you seem to be a litle better, can i ask , the way i revised it will be fine right ? the way you did it is obviously better but mine would work right ? like as far as not accepting dangerous code it would just make the page invalid if someone tried x=filenam><br><hr><script>alert('hi')</script> i tried a few combo's couldnt find anything that looked langerous

like using you method if someone tried to introduce bad string it would fail using mine it wouldnt show bad stuff , but the page just might not work right ..?

[SmokeyTheBear]

i did find an interesting side note though while testing bad string as input ..

if you make a page with <embed src=video></embed> with no file extension , and have a video in the directory named video.mpg , it will play fine.. starnge

[SmokeyTheBear]

i did find an interesting side note though while testing bad string as input ..

if you make a page with <embed src=video></embed> with no file extension , and have a video in the directory named video.mpg , it will play fine.. starnge

[Brujah]

Quote:

Originally Posted by SmokeyTheBear

Thanx im a little new to php , since you seem to be a litle better, can i ask , the way i revised it will be fine right ? the way you did it is obviously better but mine would work right ? like as far as not accepting dangerous code it would just make the page invalid if someone tried x=filenam><br><hr><script>alert('hi')</script> i tried a few combo's couldnt find anything that looked langerous

like using you method if someone tried to introduce bad string it would fail using mine it wouldnt show bad stuff , but the page just might not work right ..?

I'm not sure offhand, if there's anything they could really do with this specific use. If you wanted tho, you could ...

REPLACE THIS:

Code:

$mov = $_GET['x'];
$mov = strip_tags($mov);

WITH THIS:

Code:

if( preg_match('/^([a-z0-9\ \-]+)\.mpg$/i',$_GET['x'],$m) ) {
 $mov = $m[0];
}

[SmokeyTheBear]

Quote:

Originally Posted by Brujah

I'm not sure offhand, if there's anything they could really do with this specific use. If you wanted tho, you could ...

REPLACE THIS:

Code:

$mov = $_GET['x'];
$mov = strip_tags($mov);

WITH THIS:

Code:

if( preg_match('/^([a-z0-9\ \-]+)\.mpg$/i',$_GET['x'],$m) ) {
 $mov = $m[0];
}

thanx a bunch

[SmokeyTheBear]

but the file extension isnt passed along with the strin "x" just the filename

[Young]

Smokey I'd love to have access to your script archive!

[jmk]

Now this a useful post ... why can't there be more like that!
Good job!

[SmokeyTheBear]

ok heres a more secure method

the other one could be exploited by ?x=file%20onload=badstuff> ( nothing serious but just to be sure lets try this one

sorry for the slopiness im new

Code:

<?php
$mov = $_GET['x'];
$mov = strip_tags($mov);
$mov = str_replace(">", "", $mov);
$mov = str_replace(" ", "", $mov);
echo "<center>Add an advertisement here - dont use quotes<br><embed src=$mov.wmv></embed>";
?>

[Pete-KT]

Badass thanks Smokey

[jayeff]

This code has been around for a quite a while for displaying still images in neatly formatted pages when they are called up "bare". It works just fine with type-ins or when another site provides a link to your image: then your server will redirect the request and deliver the pic up in its page. But if someone hotlinks the image itself via "img src", you will just see the usual red "x" (or nothing, depending on your browswer).

It doesn't matter how tricky you get, browser's will not allow you to deliver anything except an image if an image is what they were expecting. Whether movies present the same problem I don't know, but have you checked that?

[SmokeyTheBear]

Quote:

Originally Posted by jayeff

This code has been around for a quite a while for displaying still images in neatly formatted pages when they are called up "bare". It works just fine with type-ins or when another site provides a link to your image: then your server will redirect the request and deliver the pic up in its page. But if someone hotlinks the image itself via "img src", you will just see the usual red "x" (or nothing, depending on your browswer).

It doesn't matter how tricky you get, browser's will not allow you to deliver anything except an image if an image is what they were expecting. Whether movies present the same problem I don't know, but have you checked that?

yes i hope i didnt give the wrong impression.. if a hotlinker or you are embeding a video it wont redirect the page it will just show a broken video ( or no video ) if someone just drops a link to the video ( like in a forum ) it will do whats described above..

Most people link to the videos.. thiw wouldn't work if you ran filecabi.net , but it would work on galleries

[Brujah]

Quote:

Originally Posted by SmokeyTheBear

but the file extension isnt passed along with the strin "x" just the filename

Try $m[1] instead

[jayeff]

Quote:

Originally Posted by SmokeyTheBear

yes i hope i didnt give the wrong impression.. if a hotlinker or you are embeding a video it wont redirect the page it will just show a broken video ( or no video ) if someone just drops a link to the video ( like in a forum ) it will do whats described above..

Most people link to the videos.. thiw wouldn't work if you ran filecabi.net , but it would work on galleries

FYI the variation on this which I first came across is at http://www.alistapart.com/articles/hotlinking and some of the comments might interest anyone who has security concerns about the php code involved.

For anyone who tries using that version for images, I had to alter one of the htaccess lines to get it to work, putting:

Code:

RewriteRule (.*) /showpic.php?pic=protected_directory/$1

in place of:

Code:

RewriteRule (.*) /showpic.php?pic=$1

ie the name of the protected directory had to go ahead of the variable.

[Brujah]

I used to host with xcite.net and Mike had a great page up with some info about protecting your videos. Not sure how relevant it will be today, but here it is.

http://www.xcite.net/resources/index.html