防止flash文件被下载
2011-11-14 17:43
190 查看
Protect Flash files from being downloaded with this
technique. It is not fool-proof, but this takes a completely different approach
to stopping the average user trying to get at your SWF files than
other tactics.
Protect Flash
Files from Being Downloaded
Thanks to Graham Ellis for the
awesome time he donated to help me understand some of the finer points of PHP.
He is a true PHP genius!
Protecting Flash
files: the example
Try your hand at downloading the Flash .swf movie in this example.
.htaccess
Create a file called .htaccess in the root folder on your server if you don't
already have one, and insert the following line to it:
1. AddHandler application/x-httpd-php .swf
Modifying your htaccess file by
adding this line will not affect other Flash files on your website.
The HTML
You need to add two things to the page that the Flash
movie will play on; first, add lines 1-3 to the very top of your page. And
second, add lines 9-11 to your page directly above the object tag. Lastly,
change the extension of the page to .php so your
server will know to parse the language instead of writing it to the page.
1. <?php
2. session_start();
3. ?>
4. <html>
5. <head>
6. <title>Flash</title>
7. </head>
8. <body>
9. <?php
10. $_SESSION["flash"] =
$_SERVER["HTTP_HOST"];
11. ?>
12. <object
width="550" height="400">
13. <param name="movie"
value="flash.swf">
14. <embed
src="flash.swf" width="550"
height="400"></embed>
15. </object>
16. </body>
17. </html>
The PHP
Here's where the real muscle comes in. While the HTML
calls for flash.swf, it won't technically be a Flash file; it'll be a PHP file.
Create a new file on your computer called flash.txt,
open it up to edit, and insert the following code into it. Upload the file to
your server and change the extension from txt to swf.
This is the file that your HTML will link to instead of the real
Flash movie.
1. <?php
2. session_start();
3.
4. if(isset($_SESSION["flash"]))
{
5. $referrer =
$_SERVER["HTTP_REFERER"];
6. $referrer = parse_url($referrer);
7. if($referrer["host"]
!= $_SESSION["flash"]) {
8. echo
"Permission denied.";
9. exit();
10. }
11. } else {
12. echo
"Permission denied.";
13. exit();
14. }
15.
16. unset($_SESSION["flash"]);
17.
18. header("Cache-Control: no-cache,
must-revalidate");
19. header("Expires: Mon, 18 Jan 2010 00:00:00
GMT"); // Don't change.
20. header("Content-type:
application/x-shockwave-flash");
21. readfile("/home/www/private/real_movie.swf");
22.
23. ?>
The only change you need to make to this file is on line
21. Replace/home/www/private/flash.swf with the
full server path to the Flash movie you want to play. If you don't know your
full server path, you can find it by creating this PHP file and viewing it in
your browser:
1. <?php
2. echo $_SERVER["DOCUMENT_ROOT"];
3. ?>
The ideal spot to put the real .swf
file would be a place on your server where browsers can't go such as a password
protected directory or in a private folder outside of the document root.
How does this
protect my Flash files from being downloaded?
The first thing that happens is the HTML page creates a
session (sessions are kind of like cookies) and then it opens the PHP script as
if it were a genuine Flash file. The session contains the domain of the site,
and a quick check is performed to see if the domain requesting the flash file
is the same as the domain where the flash file is located. If it doesn't match
or the session was never created, the page simply reads, Permission Denied.
Update: 8
August, 2007
A couple of ways to get around this preventative measure
have been brought to my attention, so consider this method a way to slow down
experienced hackers. Personally, if I ran into this being used on a Flash file
that I wanted to download, I would shrug my shoulders and give up.
Update 2: 18
January, 2010
I've been looking into making use of HTTP headers to
improve the performance of my site, and I realised a
couple of them might be useful for this example. I added a no-cache header and
an expire header that's in the past. This might prevent people from being able
to download a Flash file from their cache, but I haven't done any testing.
Contact me if you have any ideas or info about this.
Terms and
Conditions
By using this information, you consent to the following:
In no event shall I be held liable for any damages
whatsoever (including, without limitation, incidental and consequential
damages, lost profits, or damages resulting from lost business) resulting from
the use or inability to use the material on this website.
technique. It is not fool-proof, but this takes a completely different approach
to stopping the average user trying to get at your SWF files than
other tactics.
Protect Flash
Files from Being Downloaded
Thanks to Graham Ellis for the
awesome time he donated to help me understand some of the finer points of PHP.
He is a true PHP genius!
Protecting Flash
files: the example
Try your hand at downloading the Flash .swf movie in this example.
.htaccess
Create a file called .htaccess in the root folder on your server if you don't
already have one, and insert the following line to it:
1. AddHandler application/x-httpd-php .swf
Modifying your htaccess file by
adding this line will not affect other Flash files on your website.
The HTML
You need to add two things to the page that the Flash
movie will play on; first, add lines 1-3 to the very top of your page. And
second, add lines 9-11 to your page directly above the object tag. Lastly,
change the extension of the page to .php so your
server will know to parse the language instead of writing it to the page.
1. <?php
2. session_start();
3. ?>
4. <html>
5. <head>
6. <title>Flash</title>
7. </head>
8. <body>
9. <?php
10. $_SESSION["flash"] =
$_SERVER["HTTP_HOST"];
11. ?>
12. <object
width="550" height="400">
13. <param name="movie"
value="flash.swf">
14. <embed
src="flash.swf" width="550"
height="400"></embed>
15. </object>
16. </body>
17. </html>
The PHP
Here's where the real muscle comes in. While the HTML
calls for flash.swf, it won't technically be a Flash file; it'll be a PHP file.
Create a new file on your computer called flash.txt,
open it up to edit, and insert the following code into it. Upload the file to
your server and change the extension from txt to swf.
This is the file that your HTML will link to instead of the real
Flash movie.
1. <?php
2. session_start();
3.
4. if(isset($_SESSION["flash"]))
{
5. $referrer =
$_SERVER["HTTP_REFERER"];
6. $referrer = parse_url($referrer);
7. if($referrer["host"]
!= $_SESSION["flash"]) {
8. echo
"Permission denied.";
9. exit();
10. }
11. } else {
12. echo
"Permission denied.";
13. exit();
14. }
15.
16. unset($_SESSION["flash"]);
17.
18. header("Cache-Control: no-cache,
must-revalidate");
19. header("Expires: Mon, 18 Jan 2010 00:00:00
GMT"); // Don't change.
20. header("Content-type:
application/x-shockwave-flash");
21. readfile("/home/www/private/real_movie.swf");
22.
23. ?>
The only change you need to make to this file is on line
21. Replace/home/www/private/flash.swf with the
full server path to the Flash movie you want to play. If you don't know your
full server path, you can find it by creating this PHP file and viewing it in
your browser:
1. <?php
2. echo $_SERVER["DOCUMENT_ROOT"];
3. ?>
The ideal spot to put the real .swf
file would be a place on your server where browsers can't go such as a password
protected directory or in a private folder outside of the document root.
How does this
protect my Flash files from being downloaded?
The first thing that happens is the HTML page creates a
session (sessions are kind of like cookies) and then it opens the PHP script as
if it were a genuine Flash file. The session contains the domain of the site,
and a quick check is performed to see if the domain requesting the flash file
is the same as the domain where the flash file is located. If it doesn't match
or the session was never created, the page simply reads, Permission Denied.
Update: 8
August, 2007
A couple of ways to get around this preventative measure
have been brought to my attention, so consider this method a way to slow down
experienced hackers. Personally, if I ran into this being used on a Flash file
that I wanted to download, I would shrug my shoulders and give up.
Update 2: 18
January, 2010
I've been looking into making use of HTTP headers to
improve the performance of my site, and I realised a
couple of them might be useful for this example. I added a no-cache header and
an expire header that's in the past. This might prevent people from being able
to download a Flash file from their cache, but I haven't done any testing.
Contact me if you have any ideas or info about this.
Terms and
Conditions
By using this information, you consent to the following:
In no event shall I be held liable for any damages
whatsoever (including, without limitation, incidental and consequential
damages, lost profits, or damages resulting from lost business) resulting from
the use or inability to use the material on this website.
相关文章推荐
- IIS防止文件下载完全手册(非更改文件名法)(转)
- 防止使用Struts2下载时取消出现异常,并实现支持下载完成后删除临时文件
- Flash(Flex)对文件下载进度的监控原理分析1
- 试图搞懂MDK程序下载到flash(二)--分散加载文件scatter
- QUARTUS 下载文件到flash中
- 各大门户网站Flash和JS实现的图片幻灯片切换特效代码文件下载
- 防止用户直接输入地址下载资源文件(java实现)
- asp.net 下载文件 防止中文文件名出现乱码
- nodejs实现文件下载功能,防止文本TXT类文件直接打开
- 各大门户网站Flash和JS实现的图片幻灯片切换特效代码文件下载:
- Nginx模块学习之————accesskey权限模块使用(Nginx防盗链详细解说),防止别人下载文件和图片
- java防止浏览器直接打开下载的文件
- 怎么才能防止flash被下载
- xilinx下载mcs文件到flash
- 试图搞懂MDK程序下载到Flash(四)--生成bin文件下载到Nor Flash
- 下载flash文件的若干方法!
- Java防止浏览器直接打开下载的文件
- 防止DNS污染,顺利下载caffe依赖文件
- PHP中如何防止直接访问或查看或下载config.php文件
- PHP中防止直接访问或查看或下载config.php文件的方法