tags:

views:

63

answers:

4
+3  Q: 

PHP can be exclusively accessed by SWF

I'm not sure how to describe this, but basically I have a PHP class file: 

class HelloHello {

   public function getSomeData($input_parameter){
     // code to retrieve data from the database
   }

   public function deleteSomeData($input_parameter){
    // code to delete data from the database
   }
}

This class is on the server and is part of the backend that connects with a database, and it's meant to be accessed by the frontend SWF only (not to be directly accessed). I've setup Flex to read this class and access it. But how do I make sure that someone doesn't develop a script that can call this php file directly and access its methods? For example using a script to add data in a fast automated way, or use the delete method directly, ouch.

Is this a legitimate concern, or this can't be done?

+1  A: 

If a user can view it through your flash application, the user can view it with his application. You could go through the [ugly] mess of trying to "secure" your script by introducing cookies and authentication and the like, but thats messy, and of course, it can be gone around.

Instead of trying to stop others from accessing your php file, focus on making it more secure.

ItzWarty  2010-03-24 05:38:14
Well, that ugly mess is the good standard of programming we should all strive towards. I wish the easy way would cut it in the real world, but it doesn't. And you also get a warm fuzzy feeling from doing the "right thing" not the "easy thing"
brett  2010-03-24 06:41:41
ItzWarty  2010-03-24 06:56:21
@ItzWarty, It's possible to prevent what you're describing using sessions. The fake caller script won't have the session so will fail. Hmm, I'm kind of answering my own question I guess, but let's talk some people people. I know someone here on SO has the good answer... Also, how do you know the database name and table name?
brett  2010-03-24 07:06:33
But how would the session be initialized? Your server would have to call session_begin() somehow, and its not like the session will just magically appear. At one point you will have to do this. If you access begin.php or something like that with your program, once again, another guy's program can do the same thing.
ItzWarty  2010-03-24 19:05:20
A: 

If you know the url where swf runs, can't you just in PHP limit the requests to that url? Disregard all other requests.

adamcodes  2010-03-24 13:54:36
A: 

You can secure your file by adding security and authentication. If you cannot do that (it is a public application) you should implement some techniques which can prevent specific situations: do not allow calling your script too many times per second from the same IP, add CAPTHCA in order to check that the entered data were from a human and not a machine and maybe another ones.

Cornel Creanga  2010-03-24 16:21:56
A: 

You could also implement a challenge-reponse security system that makes sure the client you use is actually the intended recpipient of the data. That way, you would embed a secret key into the SWF. The PHP app sends a one-time string, the client does something to it according to its secret and then sends the answer back -- which your server can validate and then continue to run.

For some basic mathematical foundations to this, there's quite some documentation online.

Konrad Neuwirth  2010-03-24 16:28:33

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases