Vulnerability of flash movies in php

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
dorgon
Forum Newbie
Posts: 4
Joined: Wed Feb 22, 2006 8:35 am

Vulnerability of flash movies in php

Post by dorgon »

When the flash games commit the scores to save via php.
Actually, the submitting is vulnerable, because someone will reverse compile the flash movie while will get them from website. On the occasion, they will find the addresses & strings in pages (e.g. save.php?record=1000). And will commit the pseudo-form which will show false scores on it to web server via php.

As the addresses & strings is opened in flash movie (no encrypting), how to distinguish the results will been submitted by web or by flash (I have picked the function getURL() of AS of flash to try, but as same with POST.)?How to restrict the results not by web? How to option for security of encryption?

Remark: AES_ENCRYPT() & SSL must be established on form, but the POST methods of forms will be virtual.
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Anything from the user is not to be trusted. Which makes this fundamentally impossible to do.

You can, however, get pretty darn close. I think making the flash as much of a black box as possible would be best.
Post Reply