How do you call the php file from flex? I'm hoping it is through http call? if it is a httpcall, then the url that you call on the php will be a proxy url to the actual php file on the srver right?
why are you hoping its through http?
I would think amf is better
not sure how firebug handles that if at all. Amf is binary so not so easily read and even if the destination can be seen on firebug then its just the amf gateway, the classes behind are hidden
although it is possible to decompile a swf back to code (a google search will return plenty)
there is a way of securing the swf against this with third party software but its not cheap
Even with amf, there are tools that can make it look very nice and pretty such as Charles, and firebug I think. If you want security use HTTPS.
One way of not allowing the user to send the parameters to the php is the use of sessions, there should be a way for you to get the users IP address in PHP, if the initial request(I'm talking about the login and auth stuff here) is through an IP then store the IP address in a map and consider it as a session, only then modify the database for all the future requests from the IP. Use an session identifier on the client and server to identify the session at both the places. Even if some one sniffs the session identifier, the IP map on the server should take care of authenticating the user.
If you are more worried about the parameters and url then you need to use HTTPS communication for the whole process.
Yes I am using HTTP service to make call to php file.. My code looks like this:
HTTPService.url = 'http://localhost/pratik/test.php";
This makes it very vulnerable.. Please help
Can u please let me know any link where i can get details for how to use HTTPS communication for the whole process
Coukd you please throw some more ideas.. I am totally confused here
I don't think using amf or https alone will add any fundamental security in this case.
You need to add a way for the php script to check that the request was made from a valid user. saisri2k2 above suggested using php sessions. Another similar approach is to have a login routine where the php script issues a token after a successful login. That token should be used in all subsequent requests to the server. The php script needs to check that the token is valid before doing anything. Something like this:
Any approach will require some kind of initial login routine.
wont the token be visible in firebug the same as the other variables?
maybe you just need to encrypt any data
btw, if you use the ip then bear in mind mobile 3G changes ip
I wasn't attempting to hide the token, or the other passed parameters.
The token allows the php script to authenticate who the user is (assuming the token is stored against a user ID). Then the php script can determine whether this user is able to initiate the requested action.
Using https won't hide the data from the user. I think you can view it in Firebug and other utilities.
Encrypting the data leaves the problem of decrypting at the other end.
For controlling server access, I think it's necessary to enforce security at the server end. Determine who is connected, and then police what they are allowed to do.
If the server will only use php, then PHP sessions are probably an easier way to manage this.
Https is important for many reasons, but not for hiding things from the end user.
Some one here replied about the https, may be it will help. For authentication/Authrizatoin stuff, you can use single sign on for php(search it in google) there are a lot of libraries available for handling the sessions. Or LDAP for php. These are the tools that you need to understand and implement on the server, ofcoz, it takes a lot of time to implement, but they have already done a lot of redundant tasks that you are about to do.
Thanks for your suggestion. I am currently working on this .. i will update how it goes.
I tried using HTTPS as my HTTPService and placed the crossdomain.xml but I am getting Security Error now
Hi Dave ,
I tried doing it this way:
Check for User Authentication-->If user is valid generate a random number
I thought that i will use this random numer to check first and if it is equal then onlu i will allow any database opration. But again in this case i will have to pass this as an parameter which will be visible to end user and they can use this value to do any other operation. Correct??
You have any other idea on this
Well 1 idea could be to use POST method.. This would prevent my variable to appear in address bar which means user can not directly modify my data and do some database operation. What you guys think about this??
Firebug can also see POST data... Just in a different tab
You must understand that any form on the web work this way... When you receive data on a page, you must consider that the user modified it and you should not trust the user.
What you could do, but I'm pretty sure someone could bypass this with a lot of motivation, is to add a new token (random) sent by the server in response to each request.(You should also use sessions)
The next request received from this user would have to contain an hash of this token with a "private key". For example, if the token is 22453567423, the hash would be an encrypted version with added chars like : md5(myApp22453567423isCool123).
This solution is not completely safe since the 'private key' could be find by decompiling your app or by brute forcing (would take a lot of time and your server should prevent this by logging the attempts).
Anyway, when you develop an app, you cannot really prevent the user from hacking it... You can discourage them by adding this kind of tricks.
It's why your server shouldnt trust the user and validate every request before modifying the database.......
you can see POST variables with firebug. Wasnt that your original point? Firebug.
Firebug is built into the browser so you have to encrypt any sensetive data before it gets to the browser.
I completely agree with you. One of my basic problem was since I was using GET my all variables were seen in the browser and also if I just do http:/localhhost/kpratik/test.php?uname=kumar , it will display the output of my php code but i think using POST i can prevent this. Please correct me if I am wrong...
I really like the idea of random number and then encrypting. Infact I started with that.. Can u please share some example code or some link for the same..