Perplexity 🤖

If it were locked down to my server, there's tons of things I could do to secure it, mostly by preventing download and whatnot, but sadly that's not the case. Well, thank you for your help...

Well, the reason I'm having problems is that people can simply decompile the .swf file. They can just decompile my .swf, find the php and what data the Flash is sending, and modify it... Currently, I have it set like this: PHP file containing a hard-coded sha1 checksum of the real Container.swf (my public swf file). Container.swf file that has the URL to the PHP file. The Container.swf sends it's stage.loaderInfo.url property, which is the exact (and un-modifiable) url form where the swf file was loaded. The PHP file calculates the sha1 checksum of the posted URL, if it is equal to the hardcoded value, it sends the key, if not, it exits. The only flaw in this system is if they can decompile the Container they get the what and where. The only way this system would be perfect is for the PHP file to be able to say: "The file calling me is: " That way, the user has no say in what's happening...

I've been having a problem with people intercepting the POST data to a php file, and I've been wondering how I can check just where data is coming from. My situation is: I'm loading a .php file from an .swf file (crossdomain stuff works fine, so the .swf can be anywhere), and I want to make it so only that swf file can run/get anything from the .php file on my server. Right now, I'm sending the location of the swf file to the php file, and checking a sha1 file checksum on the PHP file against a hard-coded value. The problem is people can just send the link to a proper swf file regardless of whether or not that's where they're loading the php file from. I'm not even sure if that's possible to do, but any enlightenment would be nice.