I have some code which currently operates as follows ... header('content-type: audio/mpeg'); header('cache-control: no-store, must-revalidate'); header('expires: sun, 06 oct 1974 21:00:00 gmt'); $file_source = $_GET['source']; $file_bandwidth = $_GET['bandwidth']; $file_location = 'audio/'.$file_source.'_'.$file_bandwidth.'.mp3'; header('content-length: '.filesize($file_location)); $file_pointer = fopen($file_location, 'rb'); while (!feof($file_pointer)) { echo(fread($file_pointer, 16384)); } fclose($file_pointer); PHP: I really, really, really want for this code to only be usable by a specific page. The page that loads it uses it's url as a variable which is then passed into flash to be played as an mp3 file. Is there any way that I can redirect people who try to view this script via the address bar? Is there any way to say "If the full address of the page that is loading me externally is == something.php ... all is well" ??? In all truth, this php script url is being loaded into a flash file. Is there a prospective method there?
If you don't want people accessing the script directly, why not move the file outside of your webroot and then include it in the one script that you want to be able to use it from? Alternatively just turn it into a function and make a function call. If the script itself doesn't call the function then nothing would happen even if they accessed it directly.
Your responses gives me a little bit of optimism. Your first solution still, however, still leaves me with a problem. If I put the script outside of the root and then include it within the accessible script, anyone can still use it by typing the accessible script's address into the address bar (because it loads the script I want to protect). EDIT: OH! Duh. So, basically I include the script only on the intended page using "../" which then, in turns, leads to the directory behind the www folder. The www folder isn't accessible via the address bar, right? That's pretty cool. Please note that I'm calling this address from a javascript encodeURI method ... will it be able to access the prior directory? Your second solution is interesting but I don't know how to a) convert it into a function or b) call it. Suggestions?
Sorry, I assumed that you were already able to take care of managing access to the file that is including the above script. If you're not doing that, then making it a function won't help, either. There's nothing 'simple' that will take care of just directly typing in the URL. If there is something simple, scalable and usable by all browser 'usages', I don't know it, sorry.
I feel like I'm really close, though. My index.php file's html output is what will be calling the script. It will be calling the php script via a javascript in the html. Can javascript or an html page access php scripts which are located outside of the html/www directory?
It doesn't sound like you're going to be able to prevent them from being able to access the file while using Flash. As long as you're using a client-side script, it can be faked and tweaked. The only thing I can think of is if you used a referrer to verify the location the script was being accessed from, however it is trivial to change this and thus circumvent any protection.
Does an embedded .swf document pose as a different user-agent than the browser that it is being viewed through? If so, is there a way to simply verify that the script is being requested by the flash user agent? What I'm hoping to do is say "If (user agent that is requesting this script == flash) {do something} else {do nothing}"
Even if it did (I don't know) that wouldn't help as I could change the user agent of my browser to that of the Flash script in approximately 45 seconds.
I'd like to know your thoughts on an idea I had. It may read to be more complex than it actually is, mind you. Currently, I have a javascript function which eventually provides a variable to an embedded flash document. That variable points to a php file and includes a query string. It's the php generated content within that file that I'm trying to protect. The javascript function and flash document (let's call it flash "a") reside on a page with ANOTHER flash document (flash "b") that is part of my designated address with "permission" to load audio onto. Now, I've so far discovered that no javascript variable is safe (anybody can type an alert script into the address bar to learn it's value) and a page's referrer is a laughing stock of a php reference. I've racked my newb brain trying to conceive a solution and thought ... If I were to create a call-back function in flash document "b" ... namely sending the javascript variable that points to the php file ... and have that flash document append a "&another_php_variable=some_value" alteration to it, there wouldn't be any immediate way to find out what the alteration was. Am I wrong? My thinking is that I could pass the file address into my other flash document before loading it and append a tag variable that is required by the other php document to load. Then, after the script completes it's cycle, I'd reset the "track" variable to null. Is this a reasonable concept or am I missing a really simple variable in the mix that would make this an easy hack? Are there any apps out there that print the coding processes of flash address requests and other parameter related functions to screen? Either way, I'm just aiming at a blurry target and would like to know if my idea has any merit.
Yuck, I just realized that even if I did use this method, someone could type the callback function into an alert message in the address bar to learn the extra tag's value. Ouch. I need advice. The experts are baffled. The opinionated think I shouldn't bother trying. What to do, what to do.
We're not saying that it's impossible to stop access to a particular file through your script... we're just saying that it's impossible to stop access to that particular script in the first place. You are going to need some form of user management on the server side (not necessarily 'user accounts' though) and from there instead of stopping the user accessing the script, you just wait until they access it and then at that point decide whether to 'process' the script or not. Unfortunately we can't tell you much more until you tell us what it is that should define whether or not the files should be able to be accessed.
My comments aren't angled at you, just to be clear. My comments came from when someone on WebDeveloper.com just cut off the entire idea with "don't bother, can't be done" blah blah blah. No, this forum is more helpful than that LOL. I suppose that, in the end, I'm trying to find a way to compile a url to load into flash that has a hidden variable attached to it ... one that can't easily be "alerted" through the address bar. For example (easy example), my news.php page is separate from my index.php page. The index.php page loads the news page but first sets it's own variable "$parent = 'index.php'", which news.php registers and requires in order to display content. This all happens through the "include" method though and doesn't apply to what I'm in attempts to do. So, now, here I am client-side trying to devise some sort of query string variable which covertly injects itself into the requested php url so that the audio stream is "validated" ... without that variable being obviously accessable. Is my standpoint / position the wrong perspective / approach? You've got me thinking I should be "searching for the right view".
RobinDeanDotCom Hey you have an idea there. Why not use some sort of encryption to disguise your url of the file. Use an encryption that could change based upon a salt. OK what that means there are encryptions out there like sha1 which you use a salt to encrypt the data. The use of a salt makes certain that it is really impossible to decrypt with out the salt. At any rate encrypt the file name and use thephp file your are using to serve the mp3 to decrypt the file and figure out which one to send. you could also use a db entry to get the location. IM me if you got question.
I would IM you ... but you've gone home! LOL I started reading about sha1 and am already confused. If my client-side javascript to be "protected" reads as follows: s2.addVariable('file', encodeURIComponent('audio.php?source=' + track + '&bandwidth=' + bandwidth)); Code (markup): How do I use sha1 and salt to stop the audio.php file from being opened in the address bar?