Communication between AS3 and MySQL server

Question

Hello all,

I'm developing a game coded in Flash AS3 and need to read/write info to an SQL server. Currently, for testing purposes, I use ASQL which is very simple and robust, but it needs a direct connection from the client machine to the SQL server (port 3306 open and allowing wildcard username to connect from anywhere using a password) and the worse, the .swf format itself is not encrypted and a all decompilers will let you extract AS3 code, which means a password stored in code.

I have rounded up a few options but they all lack security measures:

1. AS3 code sending a POST req to a PHP page which connects to the MySQL server
2. Use amfphp, but the AMF protocol is still sniff-able
3. Keep current method and force users to have outgoing port 3306 open, which may confuse costumers.

Help/tips/discussion would be highly appreciated.

Answer 1

You can use HTTP(S) with authentication with e.g. PHP. Don't make the script a wrapper to the SQL connection, as this'd ruin the point of the script (essencially); have custom commands as the protocol (e.g. add/update high scores).

Answer 2

Depending on the number of commands needed I think you should choose option 1 (with only one or a few commands) or option 2 (if you have some more and complex commands to send). Don't open your database to the public internet.

What is the problem you are trying to solve/secure? If all your application (game) logic is at the client you cannot prevent people from faking results. The client is never to be trusted and no securing of the line (https or any other encryption of the communication) will help that -- that will only keep other people from eavesdropping.

If you are trying to secure the posting of high scores or game state - to my knowledge you can make it hard to fake them but you cannot make it impossible unless you move at least some game logic to the server.