Whats the simplest way to obscure or hide the paths being used in a PHP - AS3 project

Question

I am working on a project that uses PHP , AS3, and AMFPHP .

The project allows users to upload and download images among other things. Since I am fairly new to PHP/FLash security I have been trying to gather as much info about making things as secure as possible. I've got some good advise about using .htaccess files, and a few other tricks.

My main question at the moment is how to hide the "path" info from and to the PHP / assets / and to and from the AMFPHP services ...

Currently I have all the paths hard-coded in one .as that returns an object with the paths to any of the other classes that need/request it. I found this method to work well since I only need to change this one .AS , and it will branch out to the other classes that need it.

I'm not super worried about others decompiling my code, and they could probably "sniff" out the paths if they really wanted. I'm mostly concerned with allowing others easy access to all of my AMFPHP services or being allowed to parts of the site I do not wish them to be. basically I realize that things aren't gonna be 100% secure regardless, but would like to take precautions.

So my main question is ... Whats the best- simplest way to obscure / hide the paths being used in a PHP - AS3 project ? ... I entertained the possibly of PHP includes or even a SQL database if need be. I rather not spend a bunch of time and money on questionable obfuscatory software, unless there's a tried and true ( and inexpensive) one for flash (not flex). .. and I currently do not have a SSL but don't know how critical - common this is. --

Answer 1

As you've noted, anyone could find out your paths by using Wireshark to watch traffic sent to your site, or a Flash decompiler to look at your source code and find the links directly.

I don't think it sounds worth the trouble to try to hide your paths, since all it would be adding is a slight layer of obscurity. Anyone interested could figure it out with relatively little effort, but the average person would have no clue whatsoever about how to make an AMF call to one of your services. Instead, I'd concentrate on making your AMFPHP functions themselves as secure as possible.

Answer 2

You could use a mod_rewrite file (with Apache) to remove or change the file extensions for your pages.

RewriteEngine on
RewriteRule ^bob.php$ bob.html

See http://www.workingwith.me.uk/articles/scripting/mod_rewrite for more examples.

This would not change the links hardcoded in flash but could make them less obvious to a user.

If you are using Windows then you can use OBFU to obfuscate your flash code. It is Expensive but very secure. There are a few open source alternatives but not as secure.

See http://tech.motion-twin.com/obfu.html

But what Code Duck is saying is correct in that there is no way to completely protect it.