A community in which webmasters can ask for help with topics such as PHP coding , MySQL , IT jobs, web design, IT security.
|Simple secure way for Flash to MySQL Database||#1|
Any simple, but secure script available for Flash > MySQL DB integration? I need something for a Login DB.
Exchanging variables with PHP is nice and easy, but obviously insecure.
via Remoting? I've got the Flash 8 remoting components installed, and some ideas: idea-1, idea-2.
via NetConnection? Got some leads: lead-1, lead-2.
Cold Fusion? Anybody has any ideas?
Less likely solutions:
via XML? Anybody has any idea how to use XML to connect to a DB? (AS2 or AS3)
AMF-PHP is not possible for security reasons (script installed on server root)
Java Server ras to be specially installed on server.
Edit: Encryption should make the PHP solution more viable, although offering only basic protection for a high-security Login Database. See also: SO: 1, 2, 3, Adobe: 4.
posted date: 2008-12-29 12:10:00
|Re: Simple secure way for Flash to MySQL Database||#3|
In the past, I've done Flex->DB using ASP.NET web services over SSL for login, etc. Flash should be able to talk to any web page over https, whether it's ASP.NET, PHP, or any other application server.Can you be more specific about the requirements for a "high-security Login Database"? What would be an ideal solution for you?And ColdFusion 8 works on Linux, Macintosh, and Solaris as well, though I've never used CF myself.http://www.adobe.com/products/coldfusion/systemreqs/
posted date: 2008-12-29 13:40:00
|Re: Simple secure way for Flash to MySQL Database||#4|
Why is PHP insecure for this? Surely having as much logic as possible in a server-side middle tier like PHP is in fact highly secure, as client-side flash/AS can easily be reverse-engineered and modified by malicious users. Or am I missing the point?
posted date: 2008-12-30 04:02:00
|Re: Simple secure way for Flash to MySQL Database||#5|
Afaik it is impossible to talk to a MySQL server directly via ActionScript (unless someone has written a package that actually handless the net stuff, but I haven't seen one yet).May I also point out that your remark about "insecure because of PHP" is not really accurate? It is even worse when you actually do everything from the applet: It is peanuts these days to decompile an .SWF and then they will even have the login data for your database.I think, as Ristonj suggested that it is best that you use the URLRequest class. What I usually do is pass on the current php session ID to the applet so that I can include this and the user IP in the initial applet request. On the server I check if the ip/session are actually active in the session table and match. If so the user gets a sort of command token that allows him to perform requests, which in turn can do your database updates.If you do all that over an SSL connection, you are pretty safe. And yes, you have to store PHP scripts on the server, but it is more difficult to get the source for these than just being able to decompile the applet and extract everything :)I like to keep all program logic that is potentially dangerous on the server only, NOT in the applet.
posted date: 2008-12-30 04:35:00
|Re: Simple secure way for Flash to MySQL Database||#6|
Basically, Flash has to pass Username+Password details to the PHP script for authentication... later PHP will send back private details to Flash using GET/POST. I need some security to ensure that baddies can't access these private details.Edit: PHP>MySQL DB seems to be secure enough. Its just the Flash>PHP part that needs some:encryption (Hashing?)a secure connection (HTTPS or HTTP via SSL?)or a better, more direct approach to the MySQL DB (Remoting?).
posted date: 2008-12-30 05:34:00
|Re: Simple secure way for Flash to MySQL Database||#7|
Whether you use Flash or PHP, you're still using HTML form technology / specificaion to do the GET/POST, thus using Flash is just as secure (or insecure) as using PHP, Perl, CGI, etc.If you want some level of security on your logins, you should consider getting an SSL license for the site.
posted date: 2008-12-30 05:54:00
|Re: Simple secure way for Flash to MySQL Database||#8|
I meant in-secure in the sense that Flash is transferring username+password details via POST ... via the URL! or am I missing the point? Or is there any better way to do Flash > PHP?
posted date: 2008-12-30 05:59:00
|Re: Simple secure way for Flash to MySQL Database||#9|
First of all, if you are worried about the security of the connection, don't send the password over it: always use a hash of it instead. Personally I never keep a password in plain text for a moment longer than necessary.And for the rest, basically what I said in my previous answer: In the first "authenticate" call I would also pass along the session ID for normal PHP usage. On the server you check that ID in your sessions table and verify if the POST containing the data comes from the IP linked to that session. Then you verify the username and the hash that was specified, if all those are correct you can be pretty sure that the user is who they say they are.Key to this is using the session_.... functions in PHP.I make sure to store both the session id and the matching IP (which you can get from $_SERVER['REMOTE_ADDR']) in my sessions table. That way you can check if the sessionID and the IP match when the applet calls your server, adding a bit extra security.Anyway, nothing is safe these days and I'm not a security professional either, so there are far better solutions. Question is: how much effort are you willing to invest in it?
posted date: 2008-12-30 06:01:00
|Re: Simple secure way for Flash to MySQL Database||#10|
So you mean we can use Flash>PHP>DB, via an SSL connection?
posted date: 2008-12-30 06:13:00
|Re: Simple secure way for Flash to MySQL Database||#11|
Actually POST isn't passed through the URL, you're thinking of GET. POST is passed in as part of the HTTP request.
posted date: 2008-12-30 06:28:00
|Re: Simple secure way for Flash to MySQL Database||#12|
You clearly are confused about some basic concepts. Why do you think that anything flash sends to or gets from a PHP script is less secure than anything flash sends to a MysSQL server?
posted date: 2008-12-30 07:22:00
|select page: « 1 2 »|