Video files outside the web root?

[Mikalee]

Hi, as a follow up to this topic, I was wondering if anyone knows of a way to embed video files on a site while keeping the actual video files outside the web (public_html) directory?

I've seen an example of this for images, but I didn't even get that working...and I doubt that would work for video's anyway (or I'd keep working at it).

Thanks very much in advance,
Mike

[jason]

Video files would work the same way. Basically, what that script is doing is using readfile() to open the file and send it, byte for byte, down to the user--esentially what Apache does anyway. If you want to protect holinking of anything, it's probably more efficient to do it via mod_rewrite (there is a one-click solution for images, I believe, in cPanel and it wouldn't be difficult to modify for video as well).

--Jason

[Mikalee]

Video files would work the same way. Basically, what that script is doing is using readfile() to open the file and send it, byte for byte, down to the user--esentially what Apache does anyway. If you want to protect holinking of anything, it's probably more efficient to do it via mod_rewrite (there is a one-click solution for images, I believe, in cPanel and it wouldn't be difficult to modify for video as well).

--Jason

Thanks Jason, I guess I can try that script again (I had trouble making it work with images...could've been because it was embedded in a CMS).

The reason I'm trying to avoid using mod_rewrite is because of the fact that the REFERRER is not always available, as some firewalls or browsers may block it, so it's possible that the content wouldn't show even for valid requests. But if I can store the files outside the web root, then I'd know for sure only my php script could access it and not the outside world. And, since the link to that php script would always be behind locked doors as well, no one would be able to use that method outside the site either.

(I realize that script also checks the REFERRER and validates, but I wouldn't mind enabling the files without the referrer IF they are already protected by being outside the web root and behind locked doors, sort of speak).

[jason]

The files won't be protected if the script can access them. Basically what's going on here is the script is take the place of the mod_rewrite rule to control access. Instead of accessing the images with a direct linke like

Code:

<img src="images/mypic.jpg" />

you'll have a script in your public_html that will retrieve the image from elsewhere:

Code:

<img src="getpic.php?file=mypic.jpg" />

The image, therefore, would still be accessible via a URL, and wouldn't be any safer than if it was inside public_html. In fact, this method could be unsafe if the script isn't well written (and I haven't gone through the code line-by-line to check). When you let Apache handle retrieving the image you can be about 99.99% sure that it won't retrieve anything from where its not supposed to (outside of public_html). If the script you use doesn't lock you into a specific directory (because of design or bug) then someone could use that script to get other files:

Code:

http://www.yoursite.com/getpic.php?file=/etc/passwd
http://www.yoursite.com/getpic.php?file=/home/yoursite/mail/you/inbox

Referrer checking is really the only way to block access. It is up to you to make the call on whether to block or show images if no referer is provided.

--Jason