tags:

views:

30

answers:

4
Q: 

Hiding flash parameters in a php script

I would like to call a swf file which takes some parameters, but I do not want those parameters to visible on the client (let's say a secret authentication token or something like that).

I thought I would write a simple PHP proxy script like this:

header('Content-type: application/x-shockwave-flash');
readfile('http://path/to/swf/file.swf?here=are&some=parameters');

And then simply to do

<embed src="/path/to/php/proxy.php'/>

But the flash parameters don't seem to be making it to the swf. Is something like this possible?

A: 

GET parameters don't work that way. They only work through the web. Can your SWF file accept parameters through some other method such as POST?

The best way would be to encrypt them but almost anything you do will likely require changing the Flash to accept some other kind of input.

Cfreak  2010-07-22 18:44:15
Of course they work this way. readfile is making a request over HTTP just like a web browser, and if I put the url with the query string directly into my browser, it works just fine.
blockhead  2010-07-22 18:47:32
No, they don't. You're accessing the SWF through the filesystem, not the web server.
Ignacio Vazquez-Abrams  2010-07-22 18:49:44
I've updated my post so that it's clearer that it's using HTTP
blockhead  2010-07-22 19:01:35
From the documention: "Reads a file and writes it to the output buffer." - I have not found any information about a HTTP request on the documentation page... it uses fopen which could emulate file access over HTTP...
Hippo  2010-07-22 19:10:28
If you put readfile('http://www.google.com'); in to a php script, you will see google's home page. Convinced?
blockhead  2010-07-22 19:30:11
Warning: readfile(google.com): failed to open stream: No such file or directory in no_it_doesnt.php on line 3 - so no I'm not convinced. Put http:// on it, it does but default is to look at the filesystem. Also IMHO this is one of PHP's worst design decisions to mix reading from file systems or URLs.
Cfreak  2010-07-22 19:51:13
The point is, if you have an http:// there, it uses HTTP. I could have easily used cURL to do the same thing. That's not at all my point. I just choice to use readfile because it's one line instead of 5.
blockhead  2010-07-22 19:53:52
And twice you didn't do it and everyone pointed out that it won't work that way.
Cfreak  2010-07-23 00:41:32
you are reading the file over http to the output buffer... the swf reads the GET parameters when it is *executed* not when it loaded from the server/file system... thats the reason why readfile will not work, because the parameters aren't there when you embedded into the webpage...
Hippo  2010-07-23 14:13:14
A: 

There is no way to start a flash movie with any parameters that are not invisible to the user. (You always could use Firebug or something similar.)
Easiest approach would be to recieve the data from the server after starting the movie and encrypt the communication between them.

Hippo  2010-07-22 18:49:24
No good, although not trivial, ajax code can be clearly seen in the JS debugger...
Sean Farrell  2010-07-22 19:20:13
thats why you should encrypt it... ;-)
Hippo  2010-07-23 14:10:58
A: 

The way you are doing it the parameters are not being sent as part of the GET request so Flash never sees them.

There is no straight forward way of doing what you want, but your best bet is to re-generate the auth token for the user each time they log-in, and even rotate the token after each call you make to the server.

The real thing is that you can't hide anything from a sniffer (like Fiddler/WireShark/Charles) so a dynamic token is probably the only way to go (resorting to HTTPS/AMF and anything palliative for securing the transport layer will just be an extra, as your primary token would still be in the clear.)

gonchuki  2010-07-22 18:52:00
A: 

Think again what you are doing. You are reading a swf file from disk and serves it to the user. I wonder why the file system takes the added "parameters" without error. Then the flash gets executed on the users machine. Where are the arguments, now? You did not send them to the user, did you? You did not modify the flash file, did you? So yea, you are basically out of luck... You are only doing the same thing a web server does, only slower.

What you can do though, use a cross site scripting approach. Send out the frame HTML with a randomly generated "pass phrase". You store the "pass phrase" somewhere, like a database. Then use code such as:

<embed src="/path/to/php/proxy.php?pass=dfkhslrufbeuip'/>

Only ever serve the file if it is a valid pass phrase.

Ok the flash is not protected, the user can still "save as" and play it alone. But at least you don't have the trouble of someone hogging your bandwidth from a different site...

Sean Farrell  2010-07-22 19:17:10
Actually you could pass the pass phase to flash too and let flash authenticate against your server. (In the flash app.) But my AS knowledge is not sufficient here...
Sean Farrell  2010-07-22 19:22:56
I'm not reading an swf file from disk. I'm reading it over HTTP.
blockhead  2010-07-22 19:27:26

related questions

Any way to have an ActionScript 3 (Flex/AIR) project print to standard output?
How can I make flash cs3, actionscript send events to javascript?
Large File Download
3.1 or 5.1 audio in Flash
Drawing a custom label on a pie chart in Yahoo's Flash Library ASTRA
How do you use a flash object as a link?
Is there a way to render svg data in a swf at runtime?
How can I resize a swf during runtime to have the browser create html scrollbars?
What does this javascript error mean? Permission denied to call method to Location.toString
Flash designer/coder collaboration best practices
FLVPlayback component memory issues
Create an EXE from a SWF using Flex 3 without requiring AIR?
Is there some way to show HTML content inside Flash?
FOSS tools for Flash development
Silverlight vs Flex
Best Practices for AS3 XML Parsing
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
ActionScript 3.0 sockets can't reconnect
What are the options for delivering Flash video?
Best practices for building Flash video player
How to make a Flash movie with a transparent background
What are effective options for embedding video in an ASP.NET web site?
What are the best solutions for flash charts and graphs?
Best way to learn Flash?
Displaying Flash content in a C# WinForms application