I've got the below PHP to function properly...
the problem is that the file.php always has lots of string attached on it like
file.php?page=1&page2=dream&page3=sweet&page4=&page5=
and so on.. lots of those strings are empty, and they always have diff values...
using the below php code, works fine if the file.php has no string on it.. how do i make it so it works when it has lots diff. strings on it?




$from = getenv("HTTP_REFERER");

if ($from != "http://site.com/file.php") {

print("What? Trying to steal my music huh? What a looser... go home!");
exit;
}

if (!preg_match ('/^https?:\\/\\/site.com\\/file.php.*/', getenv ('HTTP_REFERER'))) {

print("What? Trying to steal my music huh? What a looser... go home!"); ;
exit;

}



Remember though, HTTP_REFERER isn't completely reliable, it is browser-controlled.

Ok, this is what I am doing.
I have file2.php which is being called from file1.php in this format..
src="file2.php?page1=page1&page2=&page3=page3"
In the header of file2.php, somehow I want to setup somthing so that if that file is ONLY being called in src from file1 then it executes otherwise it stops and echo's error & exit;
content of file2.php

if (!preg_match ('/http?:\/\/domain.com\/music\/player\/file1.php/.*', getenv ('HTTP_REFERER'))) {
print("What? Trying to steal my music huh? What a looser... go home!");
exit;
}
echo "http://domain.com/music.ram

am I doing somthing wrong here?

First, here is what the code should be:


if (!preg_match ('/https?:\\/\\/domain.com\\/music\\/player\\/file1.php.*/', getenv ('HTTP_REFERER'))) {
print("What? Trying to steal my music huh? What a looser... go home!");
exit;
}

echo "http://domain.com/music.ram


Second, I am not totally sure what you are trying to do but it sounds like you are using an include() function to call file2.php from file1.php? If so, then simply do this to verify that it is being called:

file1.php

define ('IN_FILE1', TRUE);


file2.php

if (!defined ('IN_FILE1')) {
echo 'error';
exit;
}

I am not doing an include...
I am doing a src on embed tag
<embed src="file2.php?page1=page1&page2=page2" --------------------------------->

I understand what you are trying to do now. If you want a 100% secure way of doing it then do it this way:

file.php

<?php

if (!($fh = fopen ('image.jpg', 'r'))) {

die ('File not found.');

}

header ('Content-Type: image/jpeg');
echo fread ($fh, filesize ('image.jpg'));

?>


So basically this will have your browser access file.php?src=videoname as if it were the actual file but having the actual file protected and inaccessible through the web.

You will have to replace the image/jpeg stuff in the content-type header with the MIME type of the file. What you have to do to make it secure is to put the real image file in a protected directory either outside of the webroot or with an .htaccess denying all IP's. This will ensure that all access to the file is done through your PHP script.

If you want an embed tag then do it this way in a seperate HTML file:

<embed src='http://yoursite/file.php?src=file'>

I should also add this one thing. Although that way that I posted can prevent direct linking to the actual file, people could still link to the script and its URL parameters. The easiest and quickest way of handling it is to do the thing I said in my first 2 posts in which it checks the HTTP_REFERER environment variable.

If you are just looking for an easy and quick system just ignore my last post and this one or to take advantage of a PHP script outputting the file's contents you could come up with a session ID system in which file1.php enters a session ID tying it with the user's IP address into a database and file2.php can check the new IP address with a previously set session ID. You could even use cookies too. You could just use session IDs or you could even come up with a user authentication system.

Here is a simple example using files of something like this:

index.php

<?php

$sid = md5(uniqid(time()));
$fh = fopen ('db.txt', 'w');
fwrite ($fh, $sid . ':' . getenv('REMOTE_ADDR') . '\n');

?>

<a href="file1.php?id=filename">Video File</a>


file1.php

<embed src="file2.php?id={$_GET['id']}&s=<?php echo $sid; ?>">


file2.php

I dont really want to use the session...
file2.php is a php file that generate a playlist of songs...
so when file2.php get's executed on a regular browser it just shows all the file link just like the playlist like:
file.rm
file2.rm
dance.rm
sing.rm
and so on....
what I am trying to do is find a way so that if it being called from a browser directly, display error msg otherwise con't running the php file which will basically make the playlist for the embed to src from and play the songs.

In order to reliably verify that the file is being called from your script, you can't rely on HTTP_REFERER, since like others have pointed out -- its not reliable and can easily be faked.

Your other options are to use cookies (which can be disabled on the client side), or use server-side sessions (like the examples posted above).