4 Replies Latest reply on Jan 30, 2011 10:28 PM by Kumar Pratik

    How to prevent php to mySQL queries outside of Flex?

    kmdguy

      Hi there,

       

      I have a FLEX app which uses a variety of the standard .php scripts to interact with a mySQL database and it all works just fine.

       

      My concern, is that if I am monitoring the web activity on my Flex app, I can see when it makes a call to retrieve or send data to my database.

      In my browser's activity monitor I can see a line item which looks something like this:

       

      http://www.mywebsite.com/GetSubscribersService.php?method=FindAll

       

      Now, if I copy that URL and paste or type it into any browser I get a full text-based readout of all the information that the .php file pulls from the mySQL database. I've been talking to my web host as to how to either prevent this activity from showing, or how to prevent any direct URL to fire off my .php scripts to access all the data in my database. None of them were familiar with Flex and the only thing they could suggest was something like a session ID to verify each call to these .php scripts.

       

      Each user of my Flex app does need to log in and so I could verify them somehow, but I have no idea and I have never read anything about this in all of the Flex books that I have studied.

       

      What can I do to prevent someone from directly typing in a URL like the one above it with a FindAll method and getting all the data returned in their browser? These php scripts are supposed to only be called from within the Flex application. I'm an intermedia Flex user so any actual code samples of how a solution would work would be greatly appreciated

       

      Thanks,

      Dan

        • 1. Re: How to prevent php to mySQL queries outside of Flex?
          Pappa_John

          This is actually not a Flex issue, but one of php. There is nothing Flex can do to prevent a publicly-accessible php page from running when accessed via a browser.

           

          You will need to find a way for your php scripts to authenticate that the user and/or your flex app are authorized to view the information. How you go about this depends on how your flex app and your php scripts work.

          • 2. Re: How to prevent php to mySQL queries outside of Flex?
            kmdguy Level 1

            Thanks for your reply. Well basically my php scripts are the simple default ones that are generated when using the Flex 3 Builder wizard to connecting to a database with php. I'm not a php guru but I'm trying to learn. So if you are familiar with the "canned" scripts that get created during the Wizard process then that's exactly what I have to work with. I've been told that a 'sessionID' is the way to go, however I don't know how to implement that in my Flex app. If I had a code example of how to create one (via a cookie or something) upon a successful login I could try a few things.

             

            Thanks,

            Dan

            • 3. Re: How to prevent php to mySQL queries outside of Flex?
              Pappa_John Level 1

              Sorry, I've never used the wizard-generated scripts (but I can imagine what they contain).

               

              If  you're talking about php sessions - they in themselves will not provide  the solution you are looking for. Your php scripts will still need to  authenticate the request, after which you'd create / manage the session.

               

              You say your users must log-in, so clearly you are authenticating them. You can then pass some credentials (authorization code, etc) along with the request that your php scripts can validate. You need to be aware tha the credentials will be passed as plain text (either GET or POST), so build in the security you deem appropriate.

               

              Like I said, there's no Flex-only solution.

              • 4. Re: How to prevent php to mySQL queries outside of Flex?
                Kumar Pratik Level 1

                One thing you could do is instead of using the generated PHP file create your own php files to interact with database. You will find loads of them on web.

                Make sure you are not using any exho or print statement in the php file.

                Other thing is if  you can find which system generated PHp file is echoing the output then you can just comment those lines and it would work.