View Full Version : SWF to run only on specified IP Address

03-01-2004, 12:08 AM
I'm designing and hosting Flash sites on my dedicated server.

Is there a way (script) for me to ensure that the SWFs only run if they are hosted on my server (IP Address)?

03-01-2004, 08:07 AM
You can have some server side script to check the IP address and then decide whether to display the SWF file or not...
Search the forum with 'REMOTE_ADDR' to find out how to do that in PHP...

I think you might be able do that in JavaScript but I don't know how... :D

03-01-2004, 09:44 AM
Good one.

But if you'r not a hero when it comes down to serversidescripting you could do something like letting the swf open the original URL.

So if the page where you have the swf would be 'http://www.somedomein.com/movie.html', on the first frame of the movie you'd place the script:


Then anybody who'd place the swf on his/her site would only recommend you're site. Even without meaning to :D

- Ruben

03-01-2004, 04:10 PM
Thanks CyanBlue,

I am familiar with how to perform the IP Address check in PHP....but if they take the SWF file and host it elsewhere I'm outta luck.

Is there a way to perform this check in the SWF?

Thanks Ruben,

But if their domain is www.theirdomain.com and the hosting for their that domain is moved to another service then www.theirdomain.com is still going to work...outta luck again.

I like the thought process.

03-01-2004, 04:22 PM
I am now going to attempt a combination of both suggestions.

I will apply the getURL in the SWF file first frame, except it will get a PHP file (on my domain) that checks the remote IP address.

a. If it passes---> proceed

b. If it fails ---> display a "nice" message

Not exactly sure how to execute this ("a" and "b")...but here goes

I'll keep you posted.

Thanks! ;)

03-01-2004, 04:22 PM
The PHP file that checks the IP address will reside on my domain.

03-01-2004, 04:28 PM
well nothings going to be fullproof, but this may help:
myURL = "actionscript.org";
if(_root._url.indexOf(myURL)!=-1) gotoAndPlay(2);

03-01-2004, 09:33 PM
Obviously, I didn't undersand the question correctly... :D

03-01-2004, 09:46 PM
@CyanBlue Are you sure? Maybe I didn't understand it?


Hi Splict,

In the actionscript:

myURL = "actionscript.org";
if(_root._url.indexOf(myURL)!=-1) gotoAndPlay(2);

What does the "if(_root._url.indexOf(myURL)!=-1)"
actually checking for (the -1) ?

what this code does is use ._url to check where the file is being run from. Then, the .indexOf checks the string (the url we just got) for the string in the parentheses (which is whatever you define in myURL). If indexOf doesn't find a match it will return -1.

So we check the current url (_root._url) against the url we have defined (myURL) and if it is in there (!= -1) we send the movie to frame 2 and let it play otherwise, it stays stopped. Of course you could adjust that and have it do whatever you wanted. You can find out more about these two functions in the manual - they explain them better than I could, probably ;)

This method would need to be in the swf to work, but I think thats what you wanted, right? Or will you be hosting other people's files?

03-02-2004, 12:22 AM
Okay guys....the light is on now for me

I was not clear on my objective...my apologies.

My concern is not that some visitor will take the SWFs and run them on some other domain. The solutions that you all have provided would prevent that. My concern is that they would run the SWFs on another server (same domain name).

Here is the full scenario.

1. I host websites on a dedicated box.
2. Each new client has his own domain, www.client1domain.com, www.client2domain.com, etc that they own and control.
3. I design flash sites and host them on my server.....same shared IP for all clients. Clients pay for their sites over 3 payments.

I want the SWFs to only be able to run on my server....the shared IP. If the clients take the SWF and move their domain names (which won't change) to another hosting company I want to render the SWFs inoperable...unless, of course, they have completed their payments.

Now, I thought of a solution a few hours ago.

Similar to the URL check, could I possibly check for a variable that is in a MySQL database (localhost) ....if that database is not available (i.e. the SWF is being run on another server) then the SWF stops?...as in Splict's example.

Green text shows what was edited on March 6th, 2004

03-04-2004, 10:07 PM
You sure can add the checking value on the database, but I think it is somewhat overkill... The only way to crack down what splict said is to use something like hexa editor to manually change the domain name and it won't be that easy for a novice... and pretty is most of the case... Just my 2 cents... :)

03-04-2004, 10:13 PM
I think he is afraid they will take the domain name with them... that does make it less easy. How about using a sendAndLoad to a simple php file (relaive url) that sends back an okay. If they didn't know this sendAndLoad existed then it would be pretty easy to implement. Of course that depends on how Flash Savy your client is. Need more security? Let us know, I wouldn't mind thinking up better ways, its just that anything can be broken. :)


03-04-2004, 10:25 PM
Oh... Now I get the point... Yeah... That case, it won't work, and you do need to use some sort of ways like the one that was discussed above like the database stuff, but as splict said, everything can be cracked... :(

03-04-2004, 11:51 PM
If somebody who knows what they do, want to crack the swf, they will succeed. The swf-format is well documented, and there are several programs that will let you pick it apart and put it together again. If you write some of your logic in PHP or whatever, then the swf-file will need to ask the server to do something (which will only work if you let it), or the hacker will need to figure out what the logic does and reprogram it in Flash or on another server. No matter what you do, it will be impossible to prevent that some of your work is possible to steal. That does of course not mean that you have to make it easy for the crooks, or that everybody are crooks :-)

03-05-2004, 05:48 AM
First of all, I see there have been a LOT of replies with really creative thoughts....

I was reading one of Splict's replies:

How about using a sendAndLoad to a simple php file (relaive url) that sends back an okay. If they didn't know this sendAndLoad existed then it would be pretty easy to implement.

No means to be an asshole or something, but I read [a couple of weeks ago] in some thread about some program that was capable of hacking the actionscript from a swf....

But still, it's pretty watertight I guess...

Good luck - Ruben

03-05-2004, 05:58 AM
there are several programs that will let you pick it apartum... This part, yes... and put it together again.This part, I have no knowledge of... Care to explain abit further or give me some links to dig around, Tore???

BTW, Welcome Aboard!!! :)

03-05-2004, 09:35 AM

I know of one program....called SoThink Decompiler (http://www.sothink.com/) that shows the actionscript.

It does not allow anyone to edit the SWF file or convert the SWF to an FLA. For those programs out there that do convert SWFs to FLAs, there would only be a small amount of clients savvy enough to burn me on that....so I'm not going to be overly concerned with it.

I am not concerned about anyone seeing my actionscript as long as it references files that they cannot access. Currently I have them update their itineraries and biographies, etc via a text file.

I was recently made aware of this little security issue (the ability for my sites to be swiped) from a colleague of mine who uses SoThink.

Issue Re-Explained:
I knew that they (my clients) could take their domain name and the main SWF to another hosting company. The main SWF (load movie SWF) is obviously viewable in the source code, but I figured that their site would not work because they would not know:
a. the names and locations of the other SWF files that are loaded from the main SWF
b. the text file names and location (the text file that they edit is only an include)

But....with programs like the above, they (or a Flash savvy friend...we all got 'em) could view the actionscript and see the names and locations of the other SWFs and the text files. Their only next step would be to get those SWFs and text files from my server and voila they could have a fully functioning site for little or no money.

The Solution
In the solution I am banking on one assumption: The Client can take the SWF, but cannot edit the SWF.
In order for what I'm looking for to work, the main SWF has to:
1. Be able to acces information in the PHP file that is hidden from the brower (between the <? and ?>) and not information that is echoed by PHP
2. Be able to access information in a file that is above public_html root

I've never tried it (am going to now) but can Flash access files above root (e.g. /home/clientdomain/file.php as opposed to /home/clientdomain/public_html/file.php)?

03-05-2004, 12:36 PM

I'm not sure which program(s) that Tore was referring to, but there is a program called Ave Imperator (http://www.ave-imperator.com/) which claims to make an FLA (put it back together again) from a SWF.

Obviously there are some limitations.



03-05-2004, 08:48 PM
Huh... I was not aware of those kind of programs... I knew that there are decompilers that gives all the information form the SWF file, but the SWF to FLA converter... That's new to me... Thatnks for the information... :)

Well... Anyhow... You made me to test what you just told me, and I couldn't get it working with this script...testMe_lv = new LoadVars();
testMe_lv.onLoad = function (success)
if (success)
result_txt.text = unescape(this);
trace("Failed loading the external file...");
result_txt.text = "Failed loading the external file...";
testMe_lv.load("../testMe.php")I THINK what you can do is to call the PHP file that is sitting in the public_html directory from the Flash file which calls the other file that is sitting in above directory and have it return the value back... That should be working... But I am not sure if that is really going to work well or not since the PHP file which sits in the public_html directory can be accessible to your client... ???

03-05-2004, 10:44 PM
Thanks CyanBlue,

Well...as for the PHP sitting in public_html the file cannot be accessed.

I am not allowing my clients access to the files on the server, just Internet access to their text files and web access to their email.

As you know, attempting to pull the PHP file will render the code in between the <? ?> invisible.

Me thinks this is what I have been looking for.

I'll keep you posted on the progress.

If I cannot come up with a scripted solution I can use another method.

Last Ditch Method
I can run the main.swf on my clients site then have the main.swf file call external SWFs that are on my site and server (e.g. www.mysite.com/client/001/bio.swf ,etc.) Then give them Web access to change bio.txt. This will be simple enough. If they steal the main.swf then all I have to do is remove/rename the SWFs on my site.

Initially I thought that I could not run a SWF from one domain to another (you informed me about the load variables security in Flash7 player...thanks!), but it works with SWFs...at least on the sites that I tested on my server (subdomains and different domains).

Antoher test that I ran was attempting to access SWF files above root....it just will not work. I had to at least try.

03-05-2004, 10:52 PM
Hm... I don't know how your SWF file could be able to load another SWF file sitting in the other domain... Hm... I guess you sure can do that...

Well... Anyways... Yeah... Please post the updates... :)

So, if your client does not have an access to the files on the server, then what I said might work... The PHP file reads some data from the directory above the public_html directory which returns some variable back to Flash???

03-05-2004, 11:09 PM

I see where you were coming from on the php file. All someone has to do is run the php in the browser and the output is seen (no matter if it came from above).

Which leads me to one last solution before external SWFs....that is checking the value from the db.

I was looking at this sample from the forum on the mysql/php/flash example.

Is this the type of ActionScript I will need if I am doing a test from the db?

03-05-2004, 11:27 PM
OH... I guess you are right about that... I must be very sleepy... :(

I just tested that pictest file and it does work with the database, but it won't work without the database... Nice... Very nice...
It sure will generate some unnecessart traffic, but I think it will give you the peaceful mind... :)

03-09-2004, 03:27 PM
I was thinking, you could of course load some variable from a document on your own domain [absolute, so something like "http://www.mydomain.com/textfile.txt" instead of "textfile.txt"] which triggers the movie to play.

when you don't want anyone to view the swf the only thing you'll have to do is delete the file from the domain ...

- Ruben

03-10-2004, 07:32 AM
Absolutely the best overall solution.

This keeps the load down (no database access)!!

And I can even use a shim movie or xml to access the text file on my server per the post by CyanBlue (http://www.actionscript.org/forums/showthread.php3?s=&postid=205916) in order to overcome the security sandbox restrictions in Flash Player 7.


Thanks to all!

03-10-2004, 09:54 AM
I'll be using it myself, I was thinking of loading all kind of URL's from the txt-file when the client uses the swf withouth permission :D

lol - Ruben

03-16-2004, 11:03 AM

How is your syntax going to be structured on the text file?

I'm having some trouble. In the test file on my clients domain I was able to use loadVarialbesNum and load text files from my domain by using the crossdomain.xml file, so I know that part works.

Then I attempted to test a text file on my domain called play.txt to test for a variable playmovie. If "playmovie" is "yes" then goto the frame "go" and play....otherwise don't move a muscle.

Here is the text file on my domain

and the actionscript in frame 1 of the clients SWF:
checkpermission = new LoadVars();
if (playmovie == "yes") {

It's just sitting there...no muscles moving.

What gives?

03-16-2004, 11:10 AM
Pfffrt....Actually I haven't even looked at it, and I've never used any method of loading data into a swf.

So I recommend you to take a look at the tutorials section (http://www.actionscript.org/tutorials.shtml) and espacially the loadVariables & loadvars objects tutorial (http://www.actionscript.org/tutorials/beginner/loadVariables_and_loadVars/index.shtml), because that's what I will do when I come to the point of the project where I want to do that....And I don't know when I'll be getting there, got a lot of work to do, see??

So I'm sorry, but the only thing I can help you with is the tutorials above....

Good luck with it anyways - Ruben

03-16-2004, 12:09 PM
Yeah... You have some problem with your LoadVars() routine... Try this... :)checkpermission = new LoadVars();
checkpermission.onLoad = function (success)
if (success)
if (this.playmovie == "yes")
checkpermission.load("http://www.mydomain.com/sites/client001/play.txt");If you don't mind, give us the code for the crossdomain stuff... I'm too lazy to look it up... :D

03-16-2004, 12:23 PM
Thanks Ruben,

I'll give that a try and give feedback to the board.

The xml file rules are these.

1. it has to be in the root of your domain (or the domain where the text files are located)
2. it has to be named crossdomain.xml

Here is the syntax for the contents of the xml file:
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<allow-access-from domain="www.clientdomain01.com" />
<allow-access-from domain="clientdomain01.com" />

<allow-access-from domain="www.clientdomain02.com" />
<allow-access-from domain="clientdomain02.com" />

<allow-access-from domain="www.clientdomain03.com" />
<allow-access-from domain="clientdomain03.com" />

Be sure to have domain with and without the "www". My server is a remote Linux box running Apache and it did differentiate between the two (with and without "www")


03-16-2004, 02:06 PM
Thank you very much... :D

03-16-2004, 02:23 PM

The routine from your previous post did the trick.


03-16-2004, 02:26 PM

Thanks - Ruben

03-16-2004, 04:06 PM
Additional information on the crossdomain.xml file.

I just spent an hour trying to figure out why the thing was no longer working anymore.

NOTE: Be sure to list both the "www.clientdomain.com" and the "clientdomain.com" (with and without the www) else one will work and the other will not.

I have made the edit in the crossdomain.xml post above.

08-08-2008, 06:14 PM
Hi All

I'm currently having a problem with loadVariables.
Is it possible to load a variable in a text file into flash player via the IP address to the text file?

i.e.: loadVariables ("\\\animation$\FSCOMMAND\key.txt", this);
The above code does not work