Will an HTML embed count as a referrer?

Anon

Hey everyone! I've created a PHP script which spits out the contents of a SWF file (in an attempt to protect my SWF since there's no proper code protection for SWF yet - yes I know there are workarounds, but just bear with me for the moment). So instead of embedding the SWF I embed the PHP in my HTML document. Here's a snip of the embed code:

<param name=movie value="v1.php">
...
<embed src="v1.php" ...

Now, I'm wondering whether this call from the HTML file will make the HTML file count as a referrer, because I'm looking for a way to stop the user running v1.php directly via their browser. I want it to only run when embedded via my HTML doc if possible.

Any help greatly appreciated.

Cheers

Jesse

Anon

Check out the $HTTP_REFERER variable... you can find out plenty about it at
http://www.php.net/manual/en/language.variables.predefined.php
I'm not sure if that will work on an embed... but its worth a shot. Hope that helps!

Anon

Ok I'll check it, many thanks. Also, if it turns out that I can't do it the way I hoped, can anyone provide suggestions as to how I might limit execution of my PHP file to instances where it's called via the other file?
I thought about calling the file with a variable, but of course that wont work because the variable will appear in the embed line and people will be able to replicate passing it manually...

Anon

I use $HTTP_REFERER myself for this (I have a page that has different behavious depending on which page refers to it - long story!). If someone tries and asks for vh1.php directly, $HTTP_REFERER would be empty; otherwise it contains the URL of the referring page.

As far as protection goes it's not perfect; someone who figures out that the referrer information is being checked and has a wee bit of HTTP nouse could forge an HTTP_REFERER header. And if they're using a Netscape or Mozilla browser they could just fish the .swf out of the browser cache!

But of course no protection is perfect in the long run - if the user is to see it at all it has to get on their machine in a playable form at some point. It's just a matter of how far you're prepared to go.

Anon

Thanks Hayley, I've found that the EMBED tag doesn't count as a referrer unfortunately. There are a few variables which are different depending on whether or not it's embedded but they're also different from system to system, like the user language and stuff, so they're no good to me.
I think I've figured out a new way to do it though. Interestingly enough, when I use the various anti-cache properties of the header() function they all work in NetScape but not in IE. There's a turnaround for the books for you!