Page 2 of 4

Posted: Fri Jun 29, 2007 9:00 pm
by feyd
It's safe from direct access via HTTP requests. That doesn't mean they are completely safe however. Your scripts provide access therefore they need to be secured, your other scripts need a security audit too to determine if they accidentally give access to the files. The last hurdle is server level access. On some shared hosts, scripts are able to access the files of other users.

Posted: Fri Jun 29, 2007 9:02 pm
by JellyFish
Wait! I can't access it nor anyone else including my server!

How can I allow my own domain to access the files?! I need the directory and all it's content/media secure, but I still would like the capability to view the media via my web player, only.

Does that make sense?

Posted: Fri Jun 29, 2007 9:04 pm
by feyd
Unless you're using remote requests in PHP, it still has access to the files as it is ignored by Apache.

Posted: Fri Jun 29, 2007 9:06 pm
by JellyFish
feyd wrote:Unless you're using remote requests in PHP, it still has access to the files as it is ignored by Apache.
I don't understand. What is remote requests an PHP?

Posted: Fri Jun 29, 2007 9:08 pm
by feyd
Example:

Code: Select all

file_get_contents('http://localhost/somepath/somefile.ext');

Posted: Fri Jun 29, 2007 9:16 pm
by JellyFish
What I'm trying to do is restrict all access to videos in a directory. But I still would like my flash player on my domain to access them. How can I do this? Am I on the right track when it comes to .htaccess?

Posted: Fri Jun 29, 2007 9:18 pm
by feyd
You can set an Allow rule, and specify in what order they are to be evaluated.

Posted: Fri Jun 29, 2007 9:32 pm
by JellyFish
Well, I changed my .htaccess file to:

Code: Select all

Deny from all
Allow from mydomain.com
This still doesn't appear to allow me access through a swf video player. Is the video player considered mydomain.com or is it considered the clients domain/IP?

Posted: Fri Jun 29, 2007 9:39 pm
by Ambush Commander
That's because the flash video player is being downloaded by the user, and then accesses the files: it's now from their computer, not yours.

As Feyd stated earlier, you'll need to use PHP to pass the files through.

Posted: Fri Jun 29, 2007 9:53 pm
by JellyFish
I see. How would I do this then? How do I access the file with a video player?

Posted: Fri Jun 29, 2007 9:55 pm
by Ambush Commander
Have the video player call a PHP file as it were a video. The PHP file will check authentication and then stream the video to the player (using readfile or a chunked fread) if everything is hunky-dory.

Posted: Fri Jun 29, 2007 9:59 pm
by JellyFish
Ohhhhhh. Okay, I'll try it and see my results.

Posted: Fri Jun 29, 2007 10:00 pm
by Ambush Commander
Make sure you set the proper headers.

Posted: Fri Jun 29, 2007 10:16 pm
by JellyFish
Ambush Commander wrote:Make sure you set the proper headers.
Yeah that was the first thing that came to mind.

So how would I output the stream provided by fopen, or is this the wrong approach?

Posted: Fri Jun 29, 2007 11:00 pm
by JellyFish
Wait a minute, I don't think I'm doing this right:

Code: Select all

header("Content-type: video/x-flv");
               
$stream = fopen("http://mysite.com/chart-room/videos/".$_GET['filename'], "r");
               
echo fgets($stream);