Jump to content

Recommended Posts

Hi all, 

 

I am developing an application that involves php and flash. Flash is on the server too in the form of swf file running inside an HTML page. I would like to know what security issues loom large with such applications. I would be happy if someone can come out with some known security issues and also point to some that could occur and should be looked into.

 

I am using Flash 8.0 with actionscript 2.0. I am aware that swf can be disassembled. How easy is that and what can be done to prevent someone from doing so?

 

The interaction of Flash and PHP occurs as follows: Once the client is logged in he can activate the flash movie page which is like a game. The game gets its stored values from a database so the flash connects to php and is fed from it the initialisation values for the movie to start. The movie plays and some values are generated during the game ( almost all integers & 1,2 dates). Once the game ends these values are stored back into the database by flash calling the php and POSTing data into the database through it (php).

 

One question that i wanna ask is that since the program is generating the values, do i need to take the security measures on the posted data and validate and escape it before storing it into the Mysql database? Can these values also be intercepted by a malicious user and changed before the php stores them in the DB?

 

Any knowledge on this that anyone here considers relevant is very welcome,. I would be happy for any and all responses on this issue from all the gurus here and thank you all in advance. Have a great day all !

 

 

 

The interaction of Flash and PHP occurs as follows: Once the client is logged in he can activate the flash movie page which is like a game. The game gets its stored values from a database so the flash connects to php and is fed from it the initialisation values for the movie to start. The movie plays and some values are generated during the game ( almost all integers & 1,2 dates). Once the game ends these values are stored back into the database by flash calling the php and POSTing data into the database through it (php).

 

One question that i wanna ask is that since the program is generating the values, do i need to take the security measures on the posted data and validate and escape it before storing it into the Mysql database? Can these values also be intercepted by a malicious user and changed before the php stores them in the DB?

Yes; I would do some securing of POST.  In particular, if POSTing can be allowed from anywhere (I'm assuming since the Flash is on the client side, it's coming from the WWW at large).  If someone can disassemble the SWF file, they can find out where to POST to.

 

For that matter, anyone with a packet sniffer or riding tail on a proxy or firewall log can figure out where your Flash is POSTing to.

 

That done, the door is open to send bogus POST data, and that's why you need to make sure all data coming from outside is sanitized...

Edited by dalecosp

Thanks dalecosp, 

 

I'll take that into consideration and do the data validation and sanitizing there. I would be glad to get some more answers on some of the other issues that I have mentioned in this post. Thanks all for their valuable time and helpful comments. 

Hi ! Here's another thing that is more flash specific that I wish to ask. I have in my flash game actionscript on various frames that I have written on those particular frames. Would it be any help to take that actionscript off those frames there and put it in a seperate file in the sense that now if someone decompiles the swf file the actionscript would be safe. Would seperating the code from the movie save the code? If so then how can i do this seperation. 

 

For e.g. If i have code on frames 10 and 30 and at 50 then how can i seperate the code and make sure that it would be executed as is being done now when it is written on those frames. So I don't know if separating the code from the flash swf will save it in case the file is decomiled. 2) if yes, i.e. if this is the safer route - then how can i separate the code and from the movie and ensure the movie runs the same as before. 

 

Thanks !

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.