AS3 -> PHP -> DB, how to make it secure?

Question

I have to make connection to the DB and Insert a row based on the data that the SWF sent me...

I will need to make it so that the SWF->PHP part is secure by not letting users tamper with data.

I don't want to use SSL because its not a suitable solution... what other method is available?

This question is way too broad. You need to build good interfaces to prevent users from tampering with data. SSL and encryption are no help there at all - they just make the connection between user and system secure. You'll need to show what you do, and ask in more detail about the interactions that take place — Pekka
– Pekka, Commented Oct 23, 2010 at 11:48
For example, a flash game... It sends a score to PHP to be recorded. The score shouldn't be tampered with or it becomes unfair. — Melina
– Melina, Commented Oct 23, 2010 at 11:50
possible duplicate of Suggestions for (semi) securing high-scores in Flash/PHP game... — Paul Dixon
– Paul Dixon, Commented Oct 23, 2010 at 11:55
Sorry, i wasn't good at searching i guess, i couldnt find anything related to hiscores — Melina
– Melina, Commented Oct 23, 2010 at 12:24
Check this out for some ideas: stackoverflow.com/questions/73947/… — Juan Pablo Califano
– Juan Pablo Califano, Commented Oct 23, 2010 at 14:53

rook · Accepted Answer · 2010-11-02 07:54:31Z

1

The firefox plugin TamperData can manipulate any request sent by the browser regardless of https.

To make sure the message wasn't modified on the wire you can use an HMAC. The secret key K can be packaged with the flash application and a flash obfuscater can be used. However, this is security though obscurity and any hacker with an afternoon to kill will be able to fool this system. However this is the best that you can do.

edited Nov 2, 2010 at 7:54

answered Nov 2, 2010 at 7:41

rook

67.1k38 gold badges171 silver badges248 bronze badges

Sign up to request clarification or add additional context in comments.

Comments

Adrian Pirvulescu · Accepted Answer · 2010-11-02 07:49:21Z

0

Encode data in client with private key.
Send it to php server
Decode data in php and add it to database

OR Make all the possible and use HTTPS / SSL

answered Nov 2, 2010 at 7:49

Adrian Pirvulescu

4,3403 gold badges32 silver badges47 bronze badges

1 Comment

Juan Pablo Califano Over a year ago

Pirvulescu. SSL does not add any security here. SSL secures the channel (meaning, it prevents a third party from sniffing the client/server conversation). It does not prevent one party from tampering the exchanged data.

mway · Accepted Answer · 2010-11-02 07:49:56Z

0

You may have luck with AMFPHP. Quoted from the SourceForge page:

"AMF allows for binary serialization of Action Script (AS2, AS3) native types and objects to be sent to server side services."

While no method is foolproof, I tend to lean toward this - or making socket connections to a local socket server which then handles database interaction.

answered Nov 2, 2010 at 7:49

mway

4,3573 gold badges28 silver badges37 bronze badges

Comments

buggedcom · Accepted Answer · 2010-11-02 07:53:48Z

0

Send a salted hash of the serialized data you are sending. Then check that key on the server. This again whilst not foolproof will help stop 99% of your fraud.

Also make sure you encrypt your swf so the hash salt and salting method can not be exposed.

answered Nov 2, 2010 at 7:53

buggedcom

1,5322 gold badges18 silver badges34 bronze badges

Collectives™ on Stack Overflow

AS3 -> PHP -> DB, how to make it secure?

4 Answers 4

Comments

1 Comment

Comments

Comments

Your Answer

Linked

Hot Network Questions

Collectives™ on Stack Overflow

4 Answers 4

Comments

1 Comment

Comments

Comments

Your Answer

Sign up or log in

Post as a guest

Linked

Related