Page 1 of 1

Flash (AS 3.0) -> PHP -> MySQL Security

Posted: Mon Nov 07, 2011 5:44 pm
by Aristona
Hey,

I have been developing with PHP for years now, and I am currently developing a mini game with Flash by using Actionscript 3.0.
Since AS 3.0 is a client side language, I am going to use PHP to handle data transfer between MySQL and flash application.

My only question is,
What is the theory that user can't be sending inputs directly to PHP?

For example, imagine this.

Flash sends var nPoints = 850; nName = "Username"; to PHP by GET. (blahblah.php?point=850&username=Username)
PHP inserts 850 to database. (basic sql stuff)

Any user with a little knowledge could directly browse PHP file and input this.
blahblah.php?point=9999999999999999&username=MyHaxorUser

This came up in my mind.

I can send encrypted data to PHP, and nobody will know about the decryptor.

For example,
"Username" gets encrypted to "9AJ7ADHAWD8J18AHDWAD7AH18" and it gets decrypted to "Username" only in PHP. So they can't write their nicknames directly.

But still, they can change their nickname in Flash application, create an encrypted text, and write it to PHP. Since the encryption will be correct, PHP will decrypt it correctly and allow the value to pass.

How can I avoid this?
Someone in another forum suggested using SSL, but there is no other way of securing this?

Awaiting your reply,
Thanks.

Ps. Not speaking about SQL Injection. Please don't comment if you can't be sure about the subject. :)

Re: Flash (AS 3.0) -> PHP -> MySQL Security

Posted: Mon Nov 07, 2011 6:04 pm
by mikeashfield
Couldn't you just store the encrypted username, and then only decrypt it when passing it to the client? That way, you're only technically using one-way encryption. And use mod_rewrite to make the url more friendly.

Re: Flash (AS 3.0) -> PHP -> MySQL Security

Posted: Tue Nov 08, 2011 7:08 am
by Aristona
They could still abuse it, I believe.

Flash should either be doing the encryption or decryption. They could still have access to my encryption method.

Any other suggestions on this case?

I am planning do make a mini RPG game (e.g like farmville on facebook) so I want to know how they make the data transfer between flash and MySQL.

Re: Flash (AS 3.0) -> PHP -> MySQL Security

Posted: Tue Nov 08, 2011 9:48 am
by mikeashfield
From Zynga: "We encrypt the transmission of that information using secure socket layer technology ("SSL")."

Re: Flash (AS 3.0) -> PHP -> MySQL Security

Posted: Wed Nov 09, 2011 10:23 am
by Aristona
No other possible ideas except SSL?

Re: Flash (AS 3.0) -> PHP -> MySQL Security

Posted: Fri Nov 11, 2011 8:01 pm
by Aristona
Up once more.