Create PHP File to Hide FLV Location When Played through Flash Player?

I have a flash player that plays FLV videos and I know that just about every plugin and video grabber can see where the file is coming from, with the exact location.

This has made hotlinking troublesome, let along the downloading of the videos. Is there a way to create a PHP file that loads the file while hiding it’s exact location or address?

I need something such as this.

Thanks
Ryan

Yes, have your PHP file send the appropriate content-type header then readfile() on the FLV file path and it’ll output the contents of the file.

That doesn’t prevent someone from instead grabbing the location of this PHP proxy script. You’ll have to add some extra code there that prevents requests you don’t want to serve. For example, set a token in the user session on the page with the player, and check for that token in your PHP file.

Nothing can actually prevent someone from downloading the video, though. You’ve gotta send them the bits one way or another for them to see the video, so they can capture that data.

Thanks. I’m kind of working with something simple at the moment for testing purposes, let you know how it goes.


<?

$file = "http://www.site.com/location.flv";
$content_len=@filesize($file);
header("Content-Description: File Transfer");
header("Content-type: video/x-flv");
header("Accept-Ranges: bytes");
header("Content-Disposition: attachment; filename=\\"yourtrailer.flv\\"");
header("Content-Transfer-Encoding: binary");
header("Content-Length: " . filesize($file));
if($content_len!=FALSE)
{
Header("Content-length: $content_len");
}
readfile("http://www.site.com/location.flv");



?>

Seems to work in Firefox, but the other browsers can’t open a video. Bug testing now.

Ryan

Okay, here is what I got.

streamflv.php?id=racewitchtrailer.flv


<?
//Give actual path here
//if(isset($_GET['file'])){
   // $file = $_GET['file'];
//}
//$file = "";
$file = $_GET['fl'];
$file_real = $file;
//if (file_exists($file)){
            // Get extension of requested file
            $extension = strtolower(substr(strrchr($file, "."), 1));
            // Determine correct MIME type

            switch($extension){
                case "flv": $type = "flv-application/octet-stream"; break;
                case "mp4": $type = "video/mp4"; break;
                default: $type = "application/force-download"; break;
            }
// Fix IE bug [0]
$header_file = (strstr($_SERVER['HTTP_USER_AGENT'], 'MSIE')) ? preg_replace('/\\./', '%2e', $file, substr_count($file, '.') - 1) : $file;
// Prepare headers
header("Pragma: public");
header("Expires: 0");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
header("Cache-Control: public", false);
header("Content-Description: File Transfer");
header("Content-Type: " . $type);
header("Accept-Ranges: bytes");
header("Content-Disposition: attachment; filename=\\"trailerdl.flv\\";");
header("Content-Transfer-Encoding: binary");
header("Content-Length: " . filesize($file_real));
// Send file for download
if ($stream = fopen($file_real, 'rb')){
while(!feof($stream) && connection_status() == 0){
//reset time limit for big files
set_time_limit(0);
print(fread($stream,1024*8));
flush();
}
fclose($stream);
}
?>

It works, streams and all that. But I’ve tested it against some videograbbers and they still see the url to this file, and they show the entire url, like:

http://www.mysite.com/streamflv.php?id=racewitchtrailer.flv

So people could just hotlink this link now. How do I prevent that?

Ryan

See my original response, I told you this alone didn’t solve anything.

Thanks Dan,

I have two ideas:

  1. A timestamp in the url
  2. Have the player set a cookie

We’ll see.

Thanks
Ryan

Your script is insecure and a real risk to your hosting being compromised

e.g You could likely pass ./etc/passwd to the script and download that (or any other file) on the server. Never pass through unauthenticated input to fread!

Ok. While I don’t show it above, I do have some php coding now that changes up the url to the file to be read, so a person just can’t add a link to a given file and have that be read.

It confirms that a (hidden) directory must exist.

As long as I verify that the link/file is our own, the fread should be fine, right?

Ryan