Creating a file on server, using Flash AS3 + PHP

Report · Oct 10, 2012

I have a very simple PHP script that creates a new file on my server using a random number for the file name (e.g., 412561.txt). When I load the script directly from a browser, it works. But when I load the script from a very simple Flash (AS3) script, it does not work (i.e., doesn't create a file). The Flash script and PHP script are both in the same directory. Permissions on the directory and its content are 755. Temporarily setting those permissions to 777 does not solve the problem (i.e., PHP still doesn't create file when called via Flash).

Here is my phpinfo.

Here is the PHP file.

The contents of the PHP file are:

<?php
error_reporting(E_ALL); 
ini_set("display_errors", 1);
$RandomNumber = rand(1,1000000);
$filename = "$RandomNumber" . ".txt";
$filecontent = "This is the content of the file."; 
if(file_exists($filename))
          {$myTextFileHandler = fopen($filename,"r+"); }
else
          {$myTextFileHandler = fopen($filename,"w"); }
if($myTextFileHandler)
          {$writeInTxtFile = @fwrite($myTextFileHandler,"$filecontent");}      
        
fclose($myTextFileHandler);    
?>

Here is the html container for the Flash script. The Flash script features a single button which calls the PHP script when pressed. In case it helps, here is the raw Flash file itself. The code of the Flash script is as follows:

stop();
var varLoader:URLLoader = new URLLoader;
var varURL:URLRequest = new URLRequest("http://www.jasonfinley.com/research/testing/TestingSaveData.php");
btnSave.addEventListener(MouseEvent.CLICK,fxnSave);
function fxnSave(event:MouseEvent):void{
          btnSave.enabled=false; 
          varLoader.load(varURL);
}

Directory listing is enabled at the parent directory here, so you can see there when a new text file is created or not. (Um, if this is a security disaster, please let me know!)

Can anyone please help me understand why this isn't working and how I can fix it? Thank you

~jason

Report · Oct 11, 2012

#1, Yes that is a security risk, please disable directory index viewing.

#2, Always validate. I see no issue with the code you're using but clearly it's not working. The way you find out is your trusty errors.

Make a new document (or paste this into your existing) where a button with the instance name btnSave is on screen:

// import required libs
import flash.net.URLLoader;
import flash.net.URLRequest;
import flash.events.Event;
import flash.events.IOErrorEvent;
import flash.events.MouseEvent;
import flash.events.SecurityErrorEvent;
import flash.text.TextField;
// assign handler
btnSave.addEventListener(MouseEvent.CLICK, fxnSave);
// make a textfield to display status
var tf:TextField = new TextField();
addChild(tf);
tf.width = stage.stageWidth;
tf.height = 300;
tf.multiline = true;
tf.wordWrap = true;
tf.selectable = false;
tf.text = "Loading...\n";
// just making sure the textfield is below the button
this.swapChildren(tf,btnSave);
function fxnSave(event:MouseEvent):void
{
    // disable button
    event.currentTarget.enabled = false;
    // new loader
    var varLoader:URLLoader = new URLLoader();
    // listen for load success
    varLoader.addEventListener(Event.COMPLETE, _onCompleteHandler);
    // listen for general errors
    varLoader.addEventListener(IOErrorEvent.IO_ERROR, _onErrorHandler);
    // listen for security / cross-domain errors
    varLoader.addEventListener(SecurityErrorEvent.SECURITY_ERROR, _onErrorHandler);
    // perform load
    varLoader.load(new URLRequest("http://www.jasonfinley.com/research/testing/TestingSaveData.php"));
}
// complete handler
function _onCompleteHandler(e:Event):void
{
    tf.appendText("Load complete: " + e);
}
// error handler
function _onErrorHandler(e:Event)
{
    if (e.type == SecurityErrorEvent.SECURITY_ERROR)
    {
        tf.appendText("Load failed, Security error: " + e + " type[" + e.type + "]");
    }
    else if (e.type == IOErrorEvent.IO_ERROR)
    {
        tf.appendText("Load failed, IO error: " + e + " type[" + e.type + "]");
    }
}

I get a Event.COMPLETE for mine, so the PHP script is definitely firing. Change the URL to something invalid and you'll see the IOErrorEvent fire off right away.

That leaves you to diagnose the PHP script. Check your error_log and see what is going wrong. You're suppressing errors on your file write which doesn't help you locate the issue saving the file. If you want to handle errors yourself you should do the usual try/catch and handle the error yourself (write a debug log file, anything).

Report · Oct 12, 2012

Sinious, Thanks very much for the detailed and patient advice. I'm a scientist who occassionally has to do programming in service of my research, and though I have been doing such ad-hoc programming for years, I still sometimes find myself out of my depth. I appreciate that you neither (a) assumed I know much more than I do, nor (b) assumed I'm a fool.

I've disabled directory listing. The error checking code you gave is very helpful. Also, I'd overlooked the fact that I still had the "@" character suppressing errors on the fwrite call in the PHP. I removed that, but nothing appeared in the error_log, even in cases when a Flash-instigated call to the PHP file failed to create a text file.

I've posted a new version of the test Flash file, using your code from above, here. Like you, I get no error, and when I FTP in to the server, I see that a new text file has indeed been successfully created. To my dismay, I also now see that the original test Flash file, which was NOT working two days ago, is now working today. Could anything possibly explain this? Maybe something to do with my hosting company's servers (Surpass Hosting)?

The only other possibly relevant clue I have is that when I was testing things two days ago, I looked at the server raw access logs and saw that loading clicking on the Save button from TestingSave.swf (which didn't successfully create a file) resulted in a request for /crossdomain.xml which is a file that doesn't exist and that I'm unfamiliar with. But today, no such server request occurs. Thoroughly baffling. I don't see how I stand a chance of fixing a bug that can't be reliably reproduced!

Report · Oct 12, 2012

Holy [toledo], I just figured it out!

Okay, because I wasn't sure if this problem was due to Flash or due to PHP, I posted this question in two places: right here in teh Adobe forums, and over at phpbuilder.com . With suggestions from the guys/gals over there, combined with Sinious's suggestions here, and the crossdomain.xml clue, I had a sudden revelation as to why the problem seemed to be intermittent. The answer is, incredibly, "www."

If I use the following URL, the process works, and a new text file is successfully created:

http://www.jasonfinley.com/research/testing/TestingSave2.html

If instead I use the following URL (not including the "www."), the process does not work, and we get a security error:

http://jasonfinley.com/research/testing/TestingSave2.html

The reason I thought the problem was intermittent was because I had been using different URLs on different occassions, paying no heed to the "www." because it's such a common part of experience that I took no note of it either way.

So, the problem seems to be that Flash won't allow access for other scripts unless they are on the exact same domain, and it doesn't consider, for example, www.adobe.com to be the same as just adobe.com . My Flash file calls the PHP file with an absolute link that starts with "http://www.". Now I know that it will work as long as I access the Flash file itself also using "www.". But I would like to fix this so that it will work either way. If anyone knows how to do THAT, please do let me know.

I'll be looking around for an answer (now that I know what the actual problem is), and will post back here if I do find it on my own.

Report · Oct 13, 2012

Got it. I just had to make a plain text file called "crossdomain.xml" with the following contents:

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="www.jasonfinley.com" />
<allow-access-from domain="jasonfinley.com" />
</cross-domain-policy>

I placed that at the root directory of my web server (public_html) and now I'm able to successfully run the whole process whether I use "www." in the URL or not. (I know this is already going to be elementary for many, but for me this was a big problem-solving endeavor.)

Report · Oct 15, 2012

That's the SecurityErrorEvent portion of the code. If that was firing in flash that's the sure-fire way to find out if your crossdomain.xml policy wasn't allowing the SWF access to the domain.

Flash is in a very tight sandbox. Errors are typically the way you find out why your latest creation just isn't working.

This is a very common issue. You mentioned:

If instead I use the following URL (not including the "www."), the process does not work, and we get a security error:
http://jasonfinley.com/research/testing/TestingSave2.html

And in my code I was using "www", however it wasn't making a new text file. My request was coming from my own machine and crossdomain should have kicked in with a SecurityErrorEvent because I'm not requesting from the same server, although it didn't fire off. It could be a lax apache config setting.

Either way I'm glad you got your issue fixed and good luck!

Adobe Community

Creating a file on server, using Flash AS3 + PHP