ModRewrite or something else?

devknob

I just started a youtube clone, and all is well, but im trying to allow users to embed without seeing the full path to my flv file or the parameters being passed. I noticed youtube doesnt use the .flv, and thats what makes me think its a mod_rewrite, but i never seen mod_rewrite do something like that. Does anyone have any suggestions?

Heres what im aiming for:

<object width="432" height="351"><param name="movie" value="http://www.mysite.com/v/ZFMBIGAWa4e5cb83845429"></param><param name="wmode" value="transparent"></param><embed src="http://www.mysite.com/v/ZFMBIGAWa4e5cb83845429" type="application/x-shockwave-flash" wmode="transparent" width="432" height="351"></embed></object>

Here is what I have right now:

<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000"
codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=8"
width="450" height="367"
id="theMediaPlayer">
<param name=movie value="http://mysite.com/stream/flvplayer.swf">
<param name=quality value="high">
<param name=bgcolor value="#FFFFFF">
<param name=allowFullScreen value="false">
<param name=swLiveConnect value="true">
<param name="FlashVars" value="file=http://mysite.com/stream/uploads/CN5gnf3nIXaflddSGQwG.flv&width=450&height=367&displaywidth=450&displayheight=347&overstretch=true&autostart=true&showfsbutton=false&logo=http://mysite.com/stream/image_s/playerlogo.png&link=http://wmysite.com/stream&linktarget=_blank&backcolor=0xFFFFFF">
<embed type="application/x-shockwave-flash" 
pluginspage="http://www.macromedia.com/go/getflashplayer" 
width="450" height="367" bgcolor="#FFFFFF" 
name="theMediaPlayer"
src="http://mysite.com/stream/flvplayer.swf"
flashvars="file=http://mysite.com/stream/uploads/CN5gnf3nIXaflddSGQwG.flv&width=450&height=367&displaywidth=450&displayheight=347&overstretch=true&autostart=true&showfsbutton=false&logo=http://mysite.com/stream/image_s/playerlogo.png&link=http://mysite.com/stream&linktarget=_blank&backcolor=0xFFFFFF">
</embed>
</object>

etully

The best way to do what YouTube is doing would be with mod_rewrite. (And yes, YouTube is either using mod_rewrite or something exactly like it.) But before you build that, you have to ask yourself what you are hoping to achieve.

For example, let's say that you use mod_rewrite to convert this:

http://www.mysite.com/v/ZFMBIGAWa4e5cb83845429

to this:

http://www.mysite.com/secret/location/ZFMBIGAWa4e5cb83845429.flv

It's true that nobody will know that you're really storing the FLV's in a directory called /secret/location/... but so what? They can still access the FLV's directly with the original URL:

http://www.mysite.com/v/ZFMBIGAWa4e5cb83845429

mod_rewrite is great for lots of things but hiding content isn't one of them because, by definition, it's a pointer to the actual content!

Sure, it makes nice short URL's. And if that's what you want, then fine. But mod_rewrite isn't adding any security.

The best way to approach security is to identify a specific attack vector and then develop a way to prevent that attack. For example, finish this sentence: "I am worried that someone will (insert detailed attack technique here) and I want to prevent that."