防止flash文件被下载

Protect Flash files from being downloaded with this
technique. It is not fool-proof, but this takes a completely different approach
to stopping the average user trying to get at your SWF files than
other tactics.

Protect Flash
Files from Being Downloaded

Thanks to Graham Ellis for the
awesome time he donated to help me understand some of the finer points of PHP.
He is a true PHP genius!

Protecting Flash
files: the example

Try your hand at downloading the Flash .swf movie in this example.

.htaccess

Create a file called .htaccess in the root folder on your server if you don't
already have one, and insert the following line to it:

1. AddHandler application/x-httpd-php .swf

Modifying your htaccess file by
adding this line will not affect other Flash files on your website.

The HTML

You need to add two things to the page that the Flash
movie will play on; first, add lines 1-3 to the very top of your page. And
second, add lines 9-11 to your page directly above the object tag. Lastly,
change the extension of the page to .php so your
server will know to parse the language instead of writing it to the page.

1. <?php

2. session_start();

3. ?>

4. <html>

5. <head>

6. <title>Flash</title>

7. </head>

8. <body>

9. <?php

10. $_SESSION["flash"] =
$_SERVER["HTTP_HOST"];

11. ?>

12. <object
width="550" height="400">

13. <param name="movie"
value="flash.swf">

14. <embed
src="flash.swf" width="550"
height="400"></embed>

15. </object>

16. </body>

17. </html>

The PHP

Here's where the real muscle comes in. While the HTML
calls for flash.swf, it won't technically be a Flash file; it'll be a PHP file.
Create a new file on your computer called flash.txt,
open it up to edit, and insert the following code into it. Upload the file to
your server and change the extension from txt to swf.
This is the file that your HTML will link to instead of the real
Flash movie.

1. <?php

2. session_start();

3.

4. if(isset($_SESSION["flash"]))
{

5. $referrer =
$_SERVER["HTTP_REFERER"];

6. $referrer = parse_url($referrer);

7. if($referrer["host"]
!= $_SESSION["flash"]) {

8. echo
"Permission denied.";

9. exit();

10. }

11. } else {

12. echo
"Permission denied.";

13. exit();

14. }

15.

16. unset($_SESSION["flash"]);

17.

18. header("Cache-Control: no-cache,
must-revalidate");

19. header("Expires: Mon, 18 Jan 2010 00:00:00
GMT"); // Don't change.

20. header("Content-type:
application/x-shockwave-flash");

21. readfile("/home/www/private/real_movie.swf");

22.

23. ?>

The only change you need to make to this file is on line
21. Replace/home/www/private/flash.swf with the
full server path to the Flash movie you want to play. If you don't know your
full server path, you can find it by creating this PHP file and viewing it in
your browser:

1. <?php

2. echo $_SERVER["DOCUMENT_ROOT"];

3. ?>

The ideal spot to put the real .swf
file would be a place on your server where browsers can't go such as a password
protected directory or in a private folder outside of the document root.

How does this
protect my Flash files from being downloaded?

The first thing that happens is the HTML page creates a
session (sessions are kind of like cookies) and then it opens the PHP script as
if it were a genuine Flash file. The session contains the domain of the site,
and a quick check is performed to see if the domain requesting the flash file
is the same as the domain where the flash file is located. If it doesn't match
or the session was never created, the page simply reads, Permission Denied.

Update: 8
August, 2007

A couple of ways to get around this preventative measure
have been brought to my attention, so consider this method a way to slow down
experienced hackers. Personally, if I ran into this being used on a Flash file
that I wanted to download, I would shrug my shoulders and give up.

Update 2: 18
January, 2010

I've been looking into making use of HTTP headers to
improve the performance of my site, and I realised a
couple of them might be useful for this example. I added a no-cache header and
an expire header that's in the past. This might prevent people from being able
to download a Flash file from their cache, but I haven't done any testing.

Contact me if you have any ideas or info about this.

Terms and
Conditions

By using this information, you consent to the following:

In no event shall I be held liable for any damages
whatsoever (including, without limitation, incidental and consequential
damages, lost profits, or damages resulting from lost business) resulting from
the use or inability to use the material on this website.