from a filesystem perspective does it even need it?
have you tested to see if it denies you?
if it does deny you what happens?

Thanks for replying, jatar.

I'm pulling data from a php/mysql query into my flash doc. But, I don't want anyone to potentially have access directly to the script and its raw output.

I can't restrict it to a particular referrer because it sends an empty referrer header from the page on which the .swf resides. If I use a password, it brings up a dialog for user/password when flash asks for it.

It seems like there should be a way to only allow my flash file to access the php script. I tried locating the script above public_html, but that didn't work either.

If you don't succeed in making it work you could always make sure that the php-file does not have any raw output - ie that it has no print or echo statements outside classes/functions. That way bringing it up in a browser will only display a blank page.

Another thing I think is possible is to rename the php file to something else - phpm for instance. I think you can set up Apache to deny direct listing of certain file types. You would then deny direct access to .phpm files. However I'm not sure what this does to your swf. I know that it works for including files from php.

Are you talking about only having your php script execute when invoked from the SWF?

The referer can be spoofed.

You can check the referer tag in php, and if it's not what you want return an error page (or something).

Alternatively, you could handle it with mod_rewrite. I use the following to limit access to images, and mp3's on my server. If the referer is not from mydomain.com the user is redirected to nohotlink.php, which shows the image wrapped in an iframe including messages about which domain the image originally came from.

RewriteEngine On
RewriteCond %{REQUEST_FILENAME} \.(jpg¦gif¦png¦swf¦mp3)$ [NC]
RewriteCond %{HTTP_REFERER} ^http(s)?
RewriteCond %{HTTP_REFERER}!^$
RewriteCond %{HTTP_REFERER}!http(s)?://(www\.)?mydomain\.com [NC]
RewriteRule .+\..{3}$ /nohotlink.php [L]

YMMV.

-teh

Uh, this doesn't work for me at the moment. I'll get with the other admins, and see who changed it...

The rewrite rule doesn't look correct. Post a fix in a bit. Sorry for the confusion, and these forums have no way to edit (right?).

I serve some of my sites this way for added security...

If you can use a relative include path in your php file, you can deny all access, because the requested file is not treated as a new request to the server and, so you will be able to include the file, but a request to open the file will be forbiden. An example would probably be better:

php file:
include "yourswfinclude.php"; or
include "yourinclude.swf";

Apache:
RewriteEngine ON
RewriteCond {REQUEST_URI} yourfile\.swf
RewriteRule \.swf - [F]

If you are using mod_rewrite to serve your pages as static html, you can actually, safely block all access to php file extensions for an original request at the server level - makes it very tough for some one to try to get in.

Justin

I appreciate all the advice. Sorry I disappeared. I went on a coding marathon!

Some of these methods I can't do. I'm still on shared hosting.

I've tried writing a condition, but it won't work. Either all are denied or no one is denied.

I don't think I get the syntax. Shouldn't something like this work inside the directory containing my php scripts?...

RewriteEngine On
RewriteCond {REQUEST_URI}!myflash\.swf
RewriteRule ^.*$ [F]

Your code is missing the "-" token before [F] -- See jd01's code above.

Jim

It still didn't work. I don't know why I can't ever get this .htaccess stuff. I've tried every suggestion and every permutation I can find or think up. I've tried using <Location> and <LocationMatch>, too. I may as well be writing the names of Looney Tunes characters in there! Ack! It just seems like this would be a more or less simple and common use of .htaccess.

Thank you all for trying to help!

My post was meant to address only your code's syntax.

I don't believe you can accomplish what you need using .htaccess, for several reasons:

The HTTP_REFERER header can be spoofed, or blocked by proxy caches, such as those used by AOL, or by users (using Norton Internet Security, for example.)

.htaccess cannot restrict internal server file requests; It only affect HTTP requests, which is why it's name starts with "ht".

Most media players do not provide a referer headers with their requests, meaning you will see a blank referer, and not the swf file referer you expect.

Jim

Oh. That all makes sense. Thanks for the clarification! I'll have to find some other way to do it then.

Thanks all.