/    Sign up×
Community /Pin to ProfileBookmark

See type of request in php?

Copy linkTweet thisAlerts:
Jul 22.2009

Hi!

I’m currently working on the safety of a page. And I would want to in PHP see where the request comes from in PHP. What I’ve done is to put a SWF file in a hidden position on the server. And I make the embed object for the swf link to a php which acts as the swf object.. And the php file need a session to even contact the swf.
But I want to increase the security of it, so that they can’t really go to the php file, they have to use the page where it’s embedded.

Or If they try to download the php file directly they will just get a small file with a small text like “No you can’t do that!”. Or something..

Any ideas?

Cheers,
Artheus

to post a comment
PHP

16 Comments(s)

Copy linkTweet thisAlerts:
@criterion9Jul 22.2009 — If you only send using POST in the swf instead of GET you can reject all GET requests (which would include hitting the file directly).
Copy linkTweet thisAlerts:
@artheusauthorJul 22.2009 — Well..

What I really mean is that if the request comes from www.mydomain.com/main.php where the swfobject is embedded it will return the swf.. else it won't return anything...

So what I'm kind of thinking of is if it is possible to check, with php, if the swfobject.php is embedded in main.php and someone not trying to download it directly from www.mydomain.com/swfobject.php or another page.. If the browser sends info like that in some kind of header to the swfobject.php.

So the only way to get the right content of the swfobject.php is to go through the main.php.

It's quite hard explaining..

Cheers,

Artheus
Copy linkTweet thisAlerts:
@criterion9Jul 22.2009 — You can use http_referer or request_uri...

http://forums.digitalpoint.com/showthread.php?t=835


http_referer is only set if a link leads them to the file though. Does the flash do a handshake to initiate the session with the php? If so you could use an encrypted string that identifies the flash. Make sure to post it to the script or firebug can nab it.
Copy linkTweet thisAlerts:
@artheusauthorJul 22.2009 — do you mean to send post requests with php? How'd I do that...

*I know.. newbie question*

Cheers,

Artheus
Copy linkTweet thisAlerts:
@criterion9Jul 22.2009 — No I mean from the swf to the php. If the swf only connects to the php using a string of characters by posting to the php as opposed to using "your_file.php?yourvar=value" then firebug doesn't actively show the value during net monitoring. Then in the php file just check for that string being posted during the handshake to initiate the session. If the string isn't present they are accessing the the php directly.
Copy linkTweet thisAlerts:
@artheusauthorJul 22.2009 — Well.. no that is not what I am speaking of at all here...

I'm talking about this
[CODE]
require("login_check.php");

$filename="/etc/mypath/hiddenswf/swfobject.swf";
header("Content-Type: application/x-shockwave-flash");
@readfile($filename);
[/CODE]
That is the code in the swfobject.php.

So what I'm doing there is to make the content of swfobject.php to be the swf-file.

Right?

It's all about protecting my swf file..

Cheers,

Artheus
Copy linkTweet thisAlerts:
@criterion9Jul 22.2009 — Oh ok. Make sure the session has already been started and authenticated then and don't show the swf it is hasn't. Really once the swf is downloaded to the client it can be decompiled though anyways pretty easily.
Copy linkTweet thisAlerts:
@MindzaiJul 22.2009 — I can't see how this is going to protect your swf file. Ultimately something is going to have to be sent to the browser in a format that the flash player plugin understands, and if the plugin understands it then so can a decompiler.
Copy linkTweet thisAlerts:
@artheusauthorJul 22.2009 — true... but It sure makes it harder to get.. right?
Copy linkTweet thisAlerts:
@criterion9Jul 22.2009 — To make it even easier you can set a session var and check it when the file loads. If the session var hasn't been set then don't display the swf.
Copy linkTweet thisAlerts:
@artheusauthorJul 22.2009 — Well yeah.. that has been done from the beginning.. in the login_check.php..

But thanks anyway ?

Cheers,

Artheus
Copy linkTweet thisAlerts:
@JunkMaleJul 22.2009 — URL Rewriting at the server should provide that level of protection. Question is, does your host use an Apache server or a server that supports URL rewriting or has the ability to provide a URL manipulation tool that will do same as Apache rewrites.
Copy linkTweet thisAlerts:
@artheusauthorJul 22.2009 — yes I've got a apache server. It's my own, so I am free to do most what I like with it.

Could you please tell me more about this URL Rewriting?

Cheers,

Artheus
Copy linkTweet thisAlerts:
@MindzaiJul 22.2009 — I dont see how you can ever protect your swf file. It's the same as it it were an image being stored outside DocumentRoot and fetched/output via a php script. Ultimately it just gets sent to the client, at which point the can save it and do what they like. You can hide something behind as many layers of protection as you like, but if the end result is you just handing it over to the client anyway, what's the point?

Or maybe I've misunderstood and you want to protect the swf from public and make it available only to certain users?
Copy linkTweet thisAlerts:
@artheusauthorJul 22.2009 — Well Mindzai... You are totally right...

The thing is that I have already secured it so only certain people can get to it.. But I just want to make it harder for them to really find this swf, so that they can decompile it.. But I guess that ultimately theres really no way around that.. not for swf files anyway..

But thank you all for the great response!

And I guess I'll look into that URL Rewriting thing ?

Cheers,

Artheus
Copy linkTweet thisAlerts:
@JunkMaleJul 22.2009 — @Mindzai, I think what artheus is trying to do is stop hotlinking or direct access and wants the script to deal ith the delivery of the file, this will not only stop people from using that content and force the PHP script to deliver the file contents.

@artheus, search this site forURL rewriting as well as looking under the server maintainance section. You will find plenty of examples on how it is done. You will have to check your server has the apache rewrite library installed / compiled and enabled on your server.

Start here : http://www.google.com/search?q=URL+rewrite+cheats
×

Success!

Help @artheus spread the word by sharing this article on Twitter...

Tweet This
Sign in
Forgot password?
Sign in with TwitchSign in with GithubCreate Account
about: ({
version: 0.1.9 BETA 5.27,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});
changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...
recent_tips: (
tipper: @AriseFacilitySolutions09,
tipped: article
amount: 1000 SATS,

tipper: @Yussuf4331,
tipped: article
amount: 1000 SATS,

tipper: @darkwebsites540,
tipped: article
amount: 10 SATS,
)...