8 Replies Latest reply on Apr 22, 2009 10:48 PM by Gregory Lafrance

    HTTPService - GET and POST in Flex

    Gregory Lafrance Level 6

      I'm sending JSON data to a PHP script on the server, and I'm a bit new to the server side stuff so I'm hoping you all can answer a few questions.

       

      1) I thought using POST was more secure than GET, as GET sends parameters with the URL, but when I send by post, spaces are replaced with %20, so is my data really being sent by POST, or GET?

       

      2) I thought I had heard that under certain conditions you might send data by POST, but due to a bug Flex actually sends the data by GET. What are the conditions under which this happens?

       

      3) How can I send usernames and passwords using HTTPS in Flex using HTTPService. I assume I should use HTTPS as it is supposed to be secure.

       

      4) I've been messing around with PHP to process the data on the server, but quite frankly, working with PHP seems really difficult. I get the data, a PHP print says its an object, but object notataion ->  => does not seem to work. I've used PHP methods to get the object "keys", and also done a little with processing PHP arrays, but it still seems like PHP does not make it easy on you. Anything better for more easily transferring data securely between Flex and MySQL?

       

      Thanks very much in advance!

      Greg

        • 1. Re: HTTPService - GET and POST in Flex
          Michael Borbor Level 4

          Use ColdFusion Greg. There isn't anything simpler than that.

          • 2. Re: HTTPService - GET and POST in Flex
            Michael Borbor Level 4

            Although if you're using Flex / PHP, the Zend Framework will help you

            overcome those situations because when using the Zend Framework you'll be

            using Remote Objects.

            1 person found this helpful
            • 3. Re: HTTPService - GET and POST in Flex
              Gregory Lafrance Level 6

              Is ColdFusion a secure way for transferring passwords and other sensitive data as well?

              • 4. Re: HTTPService - GET and POST in Flex
                Michael Borbor Level 4

                All server technologies are insecure by "default", you need to do some

                configuration there but CF make that easy for you, you could use SSL to

                secure the channel, than use the cflogin framework, add role-based

                permission to the ColdFusion CFCs and you're ready to go. But let's face it,

                an app is never 100% secure.

                • 5. Re: HTTPService - GET and POST in Flex
                  Gregory Lafrance Level 6

                  I guess I can apply some of those same principles to using raw PHP?

                  • 6. Re: HTTPService - GET and POST in Flex
                    Michael Borbor Level 4

                    Definitively the principles are the same, the how is the one that differs. If you're going the PHP way ZendPHP with RemoteObjects will be the most efficient way if you're developing an app from top to bottom.

                    • 7. Re: HTTPService - GET and POST in Flex
                      Peter Farland Level 3

                      Hi Greg,

                       

                      What build of Flex are you using?

                       

                      1) When using HTTPS the GET URL would also be encrypted, but once decrypted on the server the URL might be logged so it's suggested to not use GET for transmitting credentials.

                       

                      In 3.x, the default contentType is application/x-www-form-urlencoded - but what happens to your data depends on the type of the params passed into HTTPService.send(). Are you constructing a JSON request as a String?

                       

                      BTW, did you try to set a contentType? I looked at the 3.x SDK source in SVN and the HTTPService contentType property still has metadata which provides code insight in the IDE but it also restricts the values of . When toString() is called on this XML node the root node is unwrapped and the empty string content returned. To avoid this toXMLString() can be called on the XML node to get the entire XML representation.

                       

                       

                      3) Load your SWF via HTTPS and use also HTTPS to send your credentials to the server and establish a session. If you tried to use a Basic Auth challenge you'd have to rely on the browser authentication dialog as you can no longer preauthenticate using an "Authorization" header as it is on the list of headers not allowed by flash.net.URLLoader. See the docs for URLRequestHeader used to configure headers with URLLoader:

                      http://livedocs.adobe.com/flex/3/langref/flash/net/URLRequestHeader.html

                       

                      As for how to send custom credentials... I think if you can solve your issue in 1) then the rest is up to what you want to do on the server. There should be lots of PHP login examples out there too. As a best practice try to delete / null out credentials variables when they're no longer in use on the client or server. Even though you're using HTTPS, consider additionally Base-64 encoding the credentials (for example, you could copy the format of the HTTPS Authorization header with a single "username:password" string) to obscure them in the event that a clear text version of the request is logged, or viewed in a debugger, etc.

                       

                      Pete

                      1 person found this helpful
                      • 8. Re: HTTPService - GET and POST in Flex
                        Gregory Lafrance Level 6

                        Thanks Peter. Your answer is way over my head, but it seems you touch on some good points, so I'll do some additional research into the topics you mention.