CODEWITHSUNDEEP
phpapache-flexflash
brett
brett

Reputation: 1789

PHP can be exclusively accessed by SWF

I'm not sure how to describe this, but basically I have a PHP class file: 

class HelloHello {

   public function getSomeData($input_parameter){
     // code to retrieve data from the database
   }

   public function deleteSomeData($input_parameter){
    // code to delete data from the database
   }
}

This class is on the server and is part of the backend that connects with a database, and it's meant to be accessed by the frontend SWF only (not to be directly accessed). I've setup Flex to read this class and access it. But how do I make sure that someone doesn't develop a script that can call this php file directly and access its methods? For example using a script to add data in a fast automated way, or use the delete method directly, ouch.

Is this a legitimate concern, or this can't be done?

Upvotes: 3

Views: 188

Answers (4)

Konrad Neuwirth
Konrad Neuwirth

Reputation: 898

You could also implement a challenge-reponse security system that makes sure the client you use is actually the intended recpipient of the data. That way, you would embed a secret key into the SWF. The PHP app sends a one-time string, the client does something to it according to its secret and then sends the answer back -- which your server can validate and then continue to run.

For some basic mathematical foundations to this, there's quite some documentation online.

Upvotes: 0

Cornel Creanga
Cornel Creanga

Reputation: 5308

You can secure your file by adding security and authentication. If you cannot do that (it is a public application) you should implement some techniques which can prevent specific situations: do not allow calling your script too many times per second from the same IP, add CAPTHCA in order to check that the entered data were from a human and not a machine and maybe another ones.

Upvotes: 0

adamcodes
adamcodes

Reputation: 1606

If you know the url where swf runs, can't you just in PHP limit the requests to that url? Disregard all other requests.

Upvotes: 0

Warty
Warty

Reputation: 7395

If a user can view it through your flash application, the user can view it with his application. You could go through the [ugly] mess of trying to "secure" your script by introducing cookies and authentication and the like, but thats messy, and of course, it can be gone around.

Instead of trying to stop others from accessing your php file, focus on making it more secure.

Upvotes: 1

Related Questions