Prevent Direct Access to PHP file?

Discussion in 'PHP' started by Barry Scott, Mar 18, 2009.

0
  1. #1
    Hi

    I have a video player on my site and host all my videos off the public directory and call them with a php script. I only wish for the videos to be playable by members, and as things stand, anyone can view the source and see the url of the video script and therefore link to those videos without much effort.

    It's using an FLV player and the videos won't play if i include a standard Joomla registered message (yes this is within Joomla!)

    
defined( '_JEXEC' ) or die( 'Access to this directory is not permitted' );
    Code (markup):
    I have also added a htaccess to the folder to prevent direct access, however this has had zero effect and i can still directly access them by putting the url of the php file and variable in the address bar.

    Are there any ways in which i can check that the file is being played from my site so as to prevent someone viewing the source and stealing the videos by accessing the php file directly please?

    The file accessed within the player as so, mydomain.com/folder/player.php?video=video.flv So as you can see it needs to accept variables to know what video to play.

    Thanks :)
     
    Barry Scott, Mar 18, 2009 IP
  2. SmallPotatoes

    SmallPotatoes Peon

    Messages:
    1,321
    Likes Received:
    41
    Best Answers:
    0
    Trophy Points:
    0
    #2
    You can have player.php check to make sure that a valid login session exists, and if not, refuse to send the content of video.flv. How specifically you do this depends on how your login system works. But in principle it's no big deal.
     
    SmallPotatoes, Mar 18, 2009 IP
  3. Barry Scott

    Barry Scott Active Member

    Messages:
    183
    Likes Received:
    5
    Best Answers:
    0
    Trophy Points:
    60
    #3
    It's Joomla, which is still pretty new to me. I've tried various little checks, but most seem to cause the flv file to not be playable. I presume it's because it's being called through javascript.

    I'm going to post within apache about this as well, because it seems htaccess might provide a simpler work around because even if i check the headers, we all know that can be faked without too much trouble. :)
     
    Barry Scott, Mar 18, 2009 IP
  4. SmallPotatoes

    SmallPotatoes Peon

    Messages:
    1,321
    Likes Received:
    41
    Best Answers:
    0
    Trophy Points:
    0
    #4
    Apache has no way of knowing whether someone is logged in; only PHP can tell you that.

    Unfortunately I don't know anything about Joomla so aside from broad theoretical strokes you're on your own...
     
    SmallPotatoes, Mar 18, 2009 IP
  5. djdeth

    djdeth Peon

    Messages:
    24
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #5
    You would have to turn that into a module so that it can use the Joomla PHP functions to check if you are logged in.
     
    djdeth, Mar 18, 2009 IP
  6. Stylesofts

    Stylesofts Peon

    Messages:
    64
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #6
    Hello,

    We also have no idea on JOOMLA..but if we were you we would be looking in the JOOMLA forum mate..
    There should be a way to check the session variables in the JOOMLA

    anyways we surfed in google and found this..hope it helps to you..if it doesnot help then refer to the JOOMLA support guys
    :):)

    http://forum.joomla.org/viewtopic.php?f=127&t=302061


    Regards

    Stylesofts Developing Team
     
    Stylesofts, Mar 19, 2009 IP