Simple secure way for Flash to MySQL Database

Question

Any simple, but secure script available for Flash > MySQL DB integration? I need something for a Login DB.

Exchanging variables with PHP is nice and easy, but obviously insecure.

via Remoting? I've got the Flash 8 remoting components installed, and some ideas: idea-1, idea-2.

via NetConnection? Got some leads: lead-1, lead-2.

Cold Fusion? Anybody has any ideas?

---

Less likely solutions:

• via XML? Anybody has any idea how to use XML to connect to a DB? (AS2 or AS3)

• AMF-PHP is not possible for security reasons (script installed on server root)

• Java Server ras to be specially installed on server.

---

Edit: Encryption should make the PHP solution more viable, although offering only basic protection for a high-security Login Database. See also: SO: 1, 2, 3, Adobe: 4.

Answer 1

In the past, I've done Flex->DB using ASP.NET web services over SSL for login, etc. Flash should be able to talk to any web page over https, whether it's ASP.NET, PHP, or any other application server.

Can you be more specific about the requirements for a "high-security Login Database"? What would be an ideal solution for you?

And ColdFusion 8 works on Linux, Macintosh, and Solaris as well, though I've never used CF myself.

http://www.adobe.com/products/coldfusion/systemreqs/

Answer 2

Afaik it is impossible to talk to a MySQL server directly via ActionScript (unless someone has written a package that actually handless the net stuff, but I haven't seen one yet).

May I also point out that your remark about "insecure because of PHP" is not really accurate? It is even worse when you actually do everything from the applet: It is peanuts these days to decompile an .SWF and then they will even have the login data for your database.

I think, as Ristonj suggested that it is best that you use the URLRequest class.

What I usually do is pass on the current php session ID to the applet so that I can include this and the user IP in the initial applet request. On the server I check if the ip/session are actually active in the session table and match. If so the user gets a sort of command token that allows him to perform requests, which in turn can do your database updates.

If you do all that over an SSL connection, you are pretty safe. And yes, you have to store PHP scripts on the server, but it is more difficult to get the source for these than just being able to decompile the applet and extract everything :)

I like to keep all program logic that is potentially dangerous on the server only, NOT in the applet.

Answer 3

Basically, Flash has to pass Username+Password details to the PHP script for authentication... later PHP will send back private details to Flash using GET/POST.

I need some security to ensure that baddies can't access these private details.

Edit: PHP>MySQL DB seems to be secure enough. Its just the Flash>PHP part that needs some:

• encryption (Hashing?)
• a secure connection (HTTPS or HTTP via SSL?)
• or a better, more direct approach to the MySQL DB (Remoting?).

Answer 4

Whether you use Flash or PHP, you're still using HTML form technology / specificaion to do the GET/POST, thus using Flash is just as secure (or insecure) as using PHP, Perl, CGI, etc.

If you want some level of security on your logins, you should consider getting an SSL license for the site.

Answer 5

First of all, if you are worried about the security of the connection, don't send the password over it: always use a hash of it instead. Personally I never keep a password in plain text for a moment longer than necessary.

And for the rest, basically what I said in my previous answer: In the first "authenticate" call I would also pass along the session ID for normal PHP usage. On the server you check that ID in your sessions table and verify if the POST containing the data comes from the IP linked to that session. Then you verify the username and the hash that was specified, if all those are correct you can be pretty sure that the user is who they say they are.

Key to this is using the session_.... functions in PHP. I make sure to store both the session id and the matching IP (which you can get from $_SERVER['REMOTE_ADDR']) in my sessions table. That way you can check if the sessionID and the IP match when the applet calls your server, adding a bit extra security.

Anyway, nothing is safe these days and I'm not a security professional either, so there are far better solutions. Question is: how much effort are you willing to invest in it?

Answer 6

There is a project on google code, where you can directly connect from your swf movie to a MySQL database, over a TCP socket connection http://code.google.com/p/assql/. I never tried this, but it sounds interesting and very insecure.

Answer 7

Check out AS3crypto - http://code.google.com/p/as3crypto/ - it's a great library for encryption.

1) Generate 1024-bit (or higher, depending on the security you need) RSA public / private keys.

2) Store the public key in your swf file (this is safe to do, even if someone decompiles your swf).

3) Store your private key in a secure location on the server.

3) Using the public key and the AS3crypto library, encrypt any data being sent from the swf before sending it to the server.

4) Once data arrives at the server, decrypt it with the private key, which only you have access to.

Hint - it's a good idea to hash the time into the data transmitted, to prevent someone from submitting the same encrypted data to gain access.