TonyMontana — Sat, 26 Apr 2003 03:08:30 +0000

Mark, I don't have VB installed, it needed some other files in order to install.

I'm now linking to the query PHP page from another PHP page (instead of the .swf) because 'referer' was returning null.

Can I add some more security to this script, I read 'referer' can be easily spoofed.

?>
$ref = $HTTP_SERVER_VARS['HTTP_REFERER'];

if ($ref== "currentScript.php"){
'executeQuery()'
} else {
die ("no access");
}

Cheers,

TonyMontana

Mark Hensler — Fri, 25 Apr 2003 10:05:56 +0000

Third option... you'll have to open a socket connection to the server, and send that out. Then listen for the reply (HTTP Response). This is more difficult option, but for some projects, it offers so many options.

To find the User-Agent, ehhhh... I can't think of anything creative with PHP right now, so I'll use an old tool. Download this: http://host.maxalbert.com/twf/TCP_receiver.exe (24KB)

I know it's not pretty. I made it to debug some applications I was making. But it still works. I think it requires the VB6 runtime, but I never made an installer for it.

o Make a flash script open a file at: http://127.0.0.1:80/example.html
o Run the TCP_receiver.exe.
o Change to port to whatever you want (80 used above) and click Apply.
o Run your flash script.
o TCP_receiver.exe should now contain the HTTP Request from the Flash script (which will probably die waiting for a reply).

If you get anything, post it. I'd be very interested in seeing what Flash says. The line of dashes is just to seperate stuff. It's not sent by anything.

TonyMontana — Fri, 25 Apr 2003 04:53:11 +0000

In the third option, where would this code be placed:

GET /contentEngine.php HTTP/1.1
Connection: Keep-Alive
User-Agent: super secret script
Accept: */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8
My-Header: My-Value

And in the first option, how can I find out the value of the User-Agent header?

Flash unfortunately has little in the way of encryption/decryption and all strings/passwords within an .swf file can be easily viewed in an actionscript decompiler.

Mark Hensler — Wed, 23 Apr 2003 23:16:25 +0000

Well, the only way I know to protect the file is by using some kind of checks. I'm not familiar with Flash MX, so I'll try to provide as many general options as possible.

Option One
Find out what the value of the User-Agent header is. If it identifies flash, this would be great to use. If there is a User-Agent, you could use .htaccess to protect the directory/file. Or some PHP like:

<?php
if (!preg_match(\"/flash/i\", $_SERVER['HTTP_USER_AGENT'])) {
    die(\"quit hacking\");
}
?>

Option Two:
I believe you tell Flash which URL to retrieve. So you might append a key or password to this. Such as "contentEngine.php?whoami=super_secret_script".

<?php
if (!$_GET['whoami']!='super_secret_script') {
    die(\"quit hacking\");
}
?>

Option Three:
If possible, you might add some custom headers to the HTTP Request. A basic HTTP Request looks like this:

GET /contentEngine.php HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/4.02 [en] (X11; I; SunOS 5.4 sun4m)
Accept: image/gif, image/x-bitmap, image/jpeg, image/pjpeg, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

'
But you could become a creative artist and...

GET /contentEngine.php HTTP/1.1
Connection: Keep-Alive
User-Agent: super secret script
Accept: */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8
My-Header: My-Value

'
Then...

<?php
if (!$_SERVER['User-Agent']!='super secret script' || $_SERVER['My-Header']!='My-Value') {
    die(\"quit hacking\");
}
?>

You may also consider encrypting your data. I don't know what decyption options Flash has, so you'll have to research that.

TonyMontana — Wed, 23 Apr 2003 18:29:37 +0000

"Or just make what your passing unreadable (or backwards) on=off, left=right, north=east ... just be sure to write it down or you'll confuse yourself"

Do you have an example of this?

Cheers.

Busy — Tue, 15 Apr 2003 20:47:01 +0000

PHP to flash, hmmm - pass

just use some validation on the 'contentEngine.php' page, a referrer check and/or extra variable check
Or just make what your passing unreadable (or backwards) on=off, left=right, north=east ... just be sure to write it down or you'll confuse yourself
You could also use your .htaccess to allow from only one place/page/section

TonyMontana — Tue, 15 Apr 2003 05:18:04 +0000

Busy, that's PHP formatted data being sent to Flash MX, which I copied by visiting the PHP page.

I only want that page to be accessed by the Flash MX file...in other words, I don't want someone to freely access 'contentEngine.php' and grab all the name/value attribute pairs.

Cheers,

Tony

Busy — Mon, 14 Apr 2003 23:13:35 +0000

what about breaking them down into 'if' statements
just use a page.php?showme=1
if ($showme == 1) {
0=1;
ID=1;
1=Comp.swf;
initials=C.swf;
}
...
but remember variables can't start with a number

also how is the info getting there, from a link or form, post and get do different things