Hiding the source of an embedded video

j3ph

After pilfering many .mov's by just viewing the source of an HTML file. I decided to try and find a way to "hide" the source of the .mov file. This is what I've got so far:

<html>
<head>
<style type="text/css">
div.mov {
margin: auto;
}
</style>
</head>
<body>
<div class="mov">
<object width="435" height="248"
 classid="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B"
 codebase="http://www.apple.com/qtactivex/qtplugin.cab">
 <param name="src" value="file.php">
 <param name="controller" value="true">
 <param name="autoplay" value="false">
 <embed src="file.php" width="435" height="248"  

   autoplay="false" controller="true"
   pluginspage="http://www.apple.com/quicktime/download/">
 </embed>
</object>
</div>
</body>
</html>

All the above HTML is doing is referencing a php file instead of a .mov file. Nothing too spectacular there.

In file.php:

<?php
if (eregi('file.php', $_SERVER['PHP_SELF'])) {
    header("HTTP/1.0 404 Not Found");
    exit;
}else{
    $qturl = "testing_movie.mov";
    header('Content-type: video/quicktime');
    @readfile($qturl);
    exit;    

}
?>

Everything worked fine until I threw in the eregi statement. I wanted to make sure that if anyone WAS trying to steal my movies by hitting the source direclty, that they received a 404 error.

The 404 portion works just fine, but now when I view the HTML from above, I get nothing.

Any Ideas?

ozzythaman

theres no point in using the eregi function there... it will always be true in your case, and it will always show a 404.

you may want to check out the http_referer global variable that tells what page the viewer came from to the current page, and it's blank if the url was typed in manually.

this variable can be faked though, like many things in http, but if your just trying to stop normal people with normal browsers following a bad man's link, then this is your solution.

if (stristr($_SERVER['HTTP_REFERER']), "yoursite.com"){

//guy came from your site

$qturl = "testing_movie.mov"; 
header('Content-type: video/quicktime'); 
@readfile($qturl);

}

j3ph

Thanks for the HTTP_REFERER tip, it works like a charm. Now I'm running into a problem with IE (no surprise there). When I play the movie in my HTML file through IE , it breaks. I get the quicktime logo with a question mark. Can this be something with the header I'm passing?

<?php
if (stristr($_SERVER['HTTP_REFERER'], 'mydomain.com')){
$qturl = "testing_movie.mov";
header('Content-type: video/quicktime');
@readfile($qturl);
exit;

}else{
header("HTTP/1.0 404 Not Found");
exit;
}
?>

ozzythaman

use or find or write a program that outputs the raw headers from a working site and see what it outputs different from your site

or modify this:

$fp = fsockopen("www.example.com", 80, $errno, $errstr, 30);
if (!$fp) {
echo "$errstr ($errno)<br />\n";
} else {
$out = "GET / HTTP/1.1\r\n";
$out .= "Host: www.example.com\r\n";
$out .= "Connection: Close\r\n\r\n";

fwrite($fp, $out);
while (!feof($fp)) {
    echo fgets($fp, 128);
}
fclose($fp);

}

the first you'll get will be the headers that are normally just used by the browser and invisible to the enduser.