views:

991

answers:

4

My Flash movie would like communicate with MySQL server to fetch and save data between MySQL and SWF. I know AMFPHP can help with the communication, but is there a secure way to encrypt the texts sending between 2 sides (other than hashing password in MD5)? As far as I know, by default, AMFPHP sends out data in plain text.

Also, I heard that the CPU usage during network requests in Flash is quite high. Any lightweight framework suggestion?

+3  A: 

I don't actually know much about AMFPHP but in general you should never send SQL queries from a client directly. No matter how good your encryption, someone can break it and then they can do whatever they want to your server.

You should create an API in PHP that the client can use to perform certain pre-defined safe actions on the DB, so if someone reverse-engineers your encryption (which, by the way, is extremely easy to do by decompiling your swf), they can only do things to the database that are allowed.

Jay Paroline
Correct. However, AMFPHP is already the API in PHP for client to perform the actions.
Shivan Raptor
A: 

If you want a secure link between the flash app and the server, you'll probably just need to deploy your application over SSL, as with a traditional Web app.

CapnNefarious
True. Yet, people do not want the whole site with HTTPS. Sounds weird. Also, the cost of the SSL certificate is quite expensive. I would like to encrypt my contents communicating only.
Shivan Raptor
A: 

For secure login and private information, SSL is so affordable at $39.90 at Comodo, other than that, why care about hash your public viewing contents if the security requirement is not important.

Why do you need to secure your whole website? The website contain just a Flex/Flash application?

One example is this using https to secure user online transaction: https://www.singtelshop.com/

James L.
actually, I am planning to write a Flash game, which supports online visa/paypal transaction. I just worry that if I mess up with the security part, the user will lose their credits.
Shivan Raptor
+1  A: 

If you want in-game purchasing with Flash I think the only reasonable thing to do is use SSL. You are being cheap about it but don't want your customers to be cheap (that is, you want them to pay for your game but you won't pay for their security). Thats is quite unreasonable IMO. You would only secure the transaction part (Flash requests and sends sensitive data to an https url... the rest goes through normal channels).

You could look around for payment solutions using Flash. I wouldn't recomend a custom-made "encryption" solution since you don't seem to be a security expert.

Take a look at this tutorial on using PayPal with Flash (although it is not AS3 but can be easily converted and I have not tested it and am not sure if this fits your particular application).

By the way, AMFPHP can handle binary send/receive. You also send/receive what you need in a given moment so CPU usage can be kept at a minimum.

mga