Flash (AS 3.0) -> PHP -> MySQL Security

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
Aristona
Forum Commoner
Posts: 33
Joined: Thu Dec 02, 2010 8:14 am

Flash (AS 3.0) -> PHP -> MySQL Security

Post by Aristona »

Hey,

I have been developing with PHP for years now, and I am currently developing a mini game with Flash by using Actionscript 3.0.
Since AS 3.0 is a client side language, I am going to use PHP to handle data transfer between MySQL and flash application.

My only question is,
What is the theory that user can't be sending inputs directly to PHP?

For example, imagine this.

Flash sends var nPoints = 850; nName = "Username"; to PHP by GET. (blahblah.php?point=850&username=Username)
PHP inserts 850 to database. (basic sql stuff)

Any user with a little knowledge could directly browse PHP file and input this.
blahblah.php?point=9999999999999999&username=MyHaxorUser

This came up in my mind.

I can send encrypted data to PHP, and nobody will know about the decryptor.

For example,
"Username" gets encrypted to "9AJ7ADHAWD8J18AHDWAD7AH18" and it gets decrypted to "Username" only in PHP. So they can't write their nicknames directly.

But still, they can change their nickname in Flash application, create an encrypted text, and write it to PHP. Since the encryption will be correct, PHP will decrypt it correctly and allow the value to pass.

How can I avoid this?
Someone in another forum suggested using SSL, but there is no other way of securing this?

Awaiting your reply,
Thanks.

Ps. Not speaking about SQL Injection. Please don't comment if you can't be sure about the subject. :)
mikeashfield
Forum Contributor
Posts: 159
Joined: Sat Oct 22, 2011 10:50 am

Re: Flash (AS 3.0) -> PHP -> MySQL Security

Post by mikeashfield »

Couldn't you just store the encrypted username, and then only decrypt it when passing it to the client? That way, you're only technically using one-way encryption. And use mod_rewrite to make the url more friendly.
Aristona
Forum Commoner
Posts: 33
Joined: Thu Dec 02, 2010 8:14 am

Re: Flash (AS 3.0) -> PHP -> MySQL Security

Post by Aristona »

They could still abuse it, I believe.

Flash should either be doing the encryption or decryption. They could still have access to my encryption method.

Any other suggestions on this case?

I am planning do make a mini RPG game (e.g like farmville on facebook) so I want to know how they make the data transfer between flash and MySQL.
mikeashfield
Forum Contributor
Posts: 159
Joined: Sat Oct 22, 2011 10:50 am

Re: Flash (AS 3.0) -> PHP -> MySQL Security

Post by mikeashfield »

From Zynga: "We encrypt the transmission of that information using secure socket layer technology ("SSL")."
Aristona
Forum Commoner
Posts: 33
Joined: Thu Dec 02, 2010 8:14 am

Re: Flash (AS 3.0) -> PHP -> MySQL Security

Post by Aristona »

No other possible ideas except SSL?
Aristona
Forum Commoner
Posts: 33
Joined: Thu Dec 02, 2010 8:14 am

Re: Flash (AS 3.0) -> PHP -> MySQL Security

Post by Aristona »

Up once more.
Post Reply