secure flash player - GoFuckYourself.com

MissFireCrotch · 06-11-2007, 07:36 PM

Currently i am using jeroenwijering flash player, but this exposes the file url of flv files. Does anyone know of a more secure player that can hide the url's of flv files? Right now I am using js to protect it alittle by creating the player dynamically. I know that you can not stop ripping completely but you can stop 50% of the people that just look at page sources.

I tried a php file such as:

PHP Code:


			
$file = "/video/" . $_GET["file"];



$fh = fopen($file,"rb");



while (!feof($fh))

{

header("Cache-Control: no-store, must-revalidate");

header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");

header("Content-Type: video/x-flv");

header('Content-Length: ' . filesize($file));

print(fread($fh, filesize($file)));

}



fclose($fh);

by calling "file=script.php?file=foo.flv

but this made my browser crash (firefox) and server resources sky rocket!

gwkg · 06-11-2007, 10:37 PM

$file should probably be the absolute path to the folder

something like

$file = "home/wwwroot/public_html/video/"

gwkg · 06-11-2007, 10:45 PM

actually you should put the .flv files outside of the public_html directory so they are not accessible from the web.

MissFireCrotch · 06-12-2007, 01:36 AM

ok this is what i have now:
flv files are located outside my webroot
the file path is '/home/username/movies/'

the code in stream.php is:

PHP Code:


			
$file = "/home/username/movies/" . $_GET["file"];



$fh = fopen($file, "rb") or exit("Could not open $file"); 

header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");

header("Cache-Control: no-store, must-revalidate");

header("Content-Type: video/x-flv");

header('Content-Length: ' . filesize($file));

while (!feof($fh))

{

print(fread($fh, 10000));

}

fclose($fh);

ok now if i do www.mysite com/stream.php?file=test.flv
my browser will download the file only named stream.php
which is correct, its able to get the file. I dont know if there is a problem that it could be returning as a .php file and the player will not play it?

but if i try to play it in the flash player it just sits there with the flash logo going, like its trying to find the file.

the code for the player that i am loading is:

PHP Code:


			
<div id="player">

<embed id="mpl" width="320" height="260" flashvars="file=stream.php?file=p1.flv" allowfullscreen="false" quality="high" name="mpl" src="movieplayer/mediaplayer.swf" type="application/x-shockwave-flash"/>

</div>

and once again this is the jeroenwijering player.

that site seems to be down or i would be there too.

divine116 · 06-12-2007, 05:22 AM

thanks for the info!

MissFireCrotch · 06-12-2007, 02:11 PM

ok i have my player working with stream.php?file=video.flv This works and well. The files are located outside my web root so only this script will be able to access them. But how do i protect this script so that people dont just put that in the url line and are able to dl my movie?

i have tried:

Code:

if (!$_SERVER['HTTP_REFERER']){
print "This page can't be accessed directly. Please click back to start over.";
 }

and

Code:

if (!defined("Something_was_defined_on_previous_page"))
{
   die ("Don't waste your time trying to access this file");
}

and neither one works. stream.php will only respond with what it should be responding when the script is accessed directly on the url.

ASACP Cal · 06-12-2007, 06:47 PM

This is an interesting question.

With the first example if $_SERVER['HTTP_REFERER'] doesn't evaluate to whatever php thinks of as false it won't work. If you tested for a specific refererrer it might however. One way to do this where there may be many possible "right" answers would be to use a regular expression:

if (!preg_match('#^http:/+mydomain.com#',$_SERVER['HTTP_REFERER'])) die("can't view this link directly!");

I'm wondering if apache config could be doctored in some way to prevent this eg using mod_rewrite.

MissFireCrotch · 06-13-2007, 01:57 PM

well after some testing by echoing out $_SERVER['HTTP_REFERER'] and others, there is no http_referer at least stream.php does not see one! i am kinda lost with this. the only other thing that i know to do would be to create key like db entries per users ip address that has a timeout limit set to it. say grab the time and user ip, encode that, throw it in the db. then when calling stream.php pass the users ip and compare that to the encoded db entry and compare the time thats with it and do a compare. say it was inserted into the db 5 mins ago is ok, 6 mins no timeout if thats ok stream.php passes the video file.

gwkg · 06-13-2007, 03:29 PM

You could use a session id.

Create the original page with php and pass the session id through the link calling the flash file

stream.php?flash.flv&id=SDFJSFOIW$WH

then have stream php check the session id passed to the one being used for the current session. If it matches create the flv and pass it.

06-11-2007, 07:36 PM	#1
MissFireCrotch Confirmed User Join Date: Jun 2007 Posts: 187	secure flash player Currently i am using jeroenwijering flash player, but this exposes the file url of flv files. Does anyone know of a more secure player that can hide the url's of flv files? Right now I am using js to protect it alittle by creating the player dynamically. I know that you can not stop ripping completely but you can stop 50% of the people that just look at page sources. I tried a php file such as: PHP Code: `$file = "/video/" . $_GET["file"]; $fh = fopen($file,"rb"); while (!feof($fh)) { header("Cache-Control: no-store, must-revalidate"); header("Expires: Mon, 26 Jul 1997 05:00:00 GMT"); header("Content-Type: video/x-flv"); header('Content-Length: ' . filesize($file)); print(fread($fh, filesize($file))); } fclose($fh);` by calling "file=script.php?file=foo.flv but this made my browser crash (firefox) and server resources sky rocket! __________________ Need some web dev? Contact ME ICQ - 366621126

06-12-2007, 01:36 AM	#4
MissFireCrotch Confirmed User Join Date: Jun 2007 Posts: 187	ok this is what i have now: flv files are located outside my webroot the file path is '/home/username/movies/' the code in stream.php is: PHP Code: `$file = "/home/username/movies/" . $_GET["file"]; $fh = fopen($file, "rb") or exit("Could not open $file"); header("Expires: Mon, 26 Jul 1997 05:00:00 GMT"); header("Cache-Control: no-store, must-revalidate"); header("Content-Type: video/x-flv"); header('Content-Length: ' . filesize($file)); while (!feof($fh)) { print(fread($fh, 10000)); } fclose($fh);` ok now if i do www.mysite com/stream.php?file=test.flv my browser will download the file only named stream.php which is correct, its able to get the file. I dont know if there is a problem that it could be returning as a .php file and the player will not play it? but if i try to play it in the flash player it just sits there with the flash logo going, like its trying to find the file. the code for the player that i am loading is: PHP Code: `<div id="player"> <embed id="mpl" width="320" height="260" flashvars="file=stream.php?file=p1.flv" allowfullscreen="false" quality="high" name="mpl" src="movieplayer/mediaplayer.swf" type="application/x-shockwave-flash"/> </div>` and once again this is the jeroenwijering player. that site seems to be down or i would be there too. __________________ Need some web dev? Contact ME ICQ - 366621126

06-12-2007, 05:22 AM	#5
divine116 Confirmed User Join Date: May 2007 Posts: 1,152	thanks for the info! __________________ Sexy Woman Upskirt Voyeur Web Developing Affordable SEO Services

06-12-2007, 02:11 PM	#6
MissFireCrotch Confirmed User Join Date: Jun 2007 Posts: 187	ok i have my player working with stream.php?file=video.flv This works and well. The files are located outside my web root so only this script will be able to access them. But how do i protect this script so that people dont just put that in the url line and are able to dl my movie? i have tried: Code: if (!$_SERVER['HTTP_REFERER']){ print "This page can't be accessed directly. Please click back to start over."; } and Code: if (!defined("Something_was_defined_on_previous_page")) { die ("Don't waste your time trying to access this file"); } and neither one works. stream.php will only respond with what it should be responding when the script is accessed directly on the url. __________________ Need some web dev? Contact ME ICQ - 366621126

06-13-2007, 01:57 PM	#8
MissFireCrotch Confirmed User Join Date: Jun 2007 Posts: 187	well after some testing by echoing out $_SERVER['HTTP_REFERER'] and others, there is no http_referer at least stream.php does not see one! i am kinda lost with this. the only other thing that i know to do would be to create key like db entries per users ip address that has a timeout limit set to it. say grab the time and user ip, encode that, throw it in the db. then when calling stream.php pass the users ip and compare that to the encoded db entry and compare the time thats with it and do a compare. say it was inserted into the db 5 mins ago is ok, 6 mins no timeout if thats ok stream.php passes the video file. __________________ Need some web dev? Contact ME ICQ - 366621126

06-11-2007, 10:37 PM	#2
gwkg Confirmed User Join Date: Dec 2006 Posts: 179	$file should probably be the absolute path to the folder something like $file = "home/wwwroot/public_html/video/"

06-11-2007, 10:45 PM	#3
gwkg Confirmed User Join Date: Dec 2006 Posts: 179	actually you should put the .flv files outside of the public_html directory so they are not accessible from the web.

06-12-2007, 06:47 PM	#7
ASACP Cal Registered User Join Date: Jun 2007 Location: Vancouver, BC Posts: 6	This is an interesting question. With the first example if $_SERVER['HTTP_REFERER'] doesn't evaluate to whatever php thinks of as false it won't work. If you tested for a specific refererrer it might however. One way to do this where there may be many possible "right" answers would be to use a regular expression: if (!preg_match('#^http:/+mydomain.com#',$_SERVER['HTTP_REFERER'])) die("can't view this link directly!"); I'm wondering if apache config could be doctored in some way to prevent this eg using mod_rewrite.

06-13-2007, 03:29 PM	#9
gwkg Confirmed User Join Date: Dec 2006 Posts: 179	You could use a session id. Create the original page with php and pass the session id through the link calling the flash file stream.php?flash.flv&id=SDFJSFOIW$WH then have stream php check the session id passed to the one being used for the current session. If it matches create the flv and pass it.