Clever Geek Handbook

Simple secure way for MySQL database Flash

Any simple yet safe script available for Flash> MySQL DB integration ? I need something for the DB login.

Exchanging variables with PHP is nice and easy, but clearly unsafe.

through Remoting? I have Flash 8 uninstall components installed and some ideas: idea-1 , idea-2 .

via NetConnection? There are several examples: lead-1 , lead-2 .

Cold Fusion? Does anyone have any idea?

Less likely solutions:

  • via XML? Does anyone know how to use XML to connect to DB? (AS2 or AS3)

  • AMF-PHP is not possible for security reasons (script installed on server root)

  • Java server that will be specially installed on the server.

Edit: Encryption should make the PHP solution more viable, although it only offers basic security for a highly secure login database. See also: SO: 1 , 2 , 3 , Adobe: 4 .

0


source to share


8 answers


Afaik it is not possible to talk to the MySQL server directly through ActionScript (unless someone wrote a package that is actually without the help of clean stuff, but I haven't seen it yet).

May I also point out that your remark about "PHP uncertainty" is actually not so accurate? It's even worse when you actually do everything from an applet: these days, peanuts decompile the .SWF and then they even have the credentials to enter your database.

I think, as Ryston suggested, the best way is to use the URLRequest class.



What I usually do is pass the current php session id for the applet so that I can include this and the user's IP address in the applet's initial request. On the server, I check if the ip / session is actually active in the session table and matches. If so, the user receives a kind of command token that allows him to execute queries, which in turn can update the database.

If you do all of this over an SSL connection, you're pretty secure. And yes, you have to store PHP scripts on the server, but getting the source for them is harder than just decompiling the applet and extracting everything :)

I like to support all programming logic that is potentially dangerous only on the server, not in the applet.

0


source


If you are using Flash or PHP, you are still using HTML / specificaion technology to generate GET / POST, so using Flash is as safe (or unsafe) as using PHP, Perl, CGI, etc.



If you need a certain level of security for your logins, you should consider getting an SSL license for the site.

+2


source


Have a look at AS3crypto - http://code.google.com/p/as3crypto/ is a great encryption library.

1) Generate 1024-bit (or better, depending on your security) RSA public / private keys.

2) Save the public key in your swf file (it's safe even if someone decompiles your swf).

3) Store the private key in a safe place on the server.

3) Using the public key and AS3crypto library, encrypt any data sent from swf before sending it to the server.

4) After the data arrives on the server, decrypt it with a private key that only you have access to.

The hint is a good idea to hash the time in the transferred data so that someone does not give out the same encrypted data to access.

+2


source


I have done Flex-> DB in the past using ASP.NET web services over SSL for login etc. Flash should be able to talk to any web page over https, be it ASP.NET, PHP or any other application server.

Can you clarify the requirements for a "high security login database"? What would be the ideal solution for you?

And ColdFusion 8 works on Linux, Macintosh, and Solaris as well, although I've never used CF myself.

http://www.adobe.com/products/coldfusion/systemreqs/

+1


source


First of all, if you are concerned about the security of the connection, do not send it the password: always use a hash instead. Personally, I never leave the password in plain text for longer than necessary.

And for the rest, basically what I said in my previous answer: in the first "authentication" call, I also passed the session id for normal PHP use. On the server, you check this ID in the session table and check if the POST containing the data comes from the IP associated with that session. Then you check the username and hash that was specified, if everything is correct, you can be sure that the user is who they say.

The key to this is the use of the session _.... functions in PHP. I will make sure to store the session ID and the corresponding IP address (which you can get from $ _SERVER ['REMOTE_ADDR']) in my session table. This way you can check if the sessionID and IP match when the applet calls your server, adding a little extra security.

Anyway, nothing is safe these days, and I'm not a security professional either, so there are much better solutions out there. The question is: how much effort are you willing to invest in it?

+1


source


There is a google code project where you can directly connect from your swf movie to a MySQL database, via a TCP socket connection http://code.google.com/p/assql/ . I've never tried this, but it sounds interesting and very insecure.

+1


source


Basically, Flash has to pass Username + Password data to PHP script for authentication ... later PHP will send private data to Flash using GET / POST.

I need protection to ensure that attackers cannot gain access to this private data.

Edit: PHP> MySQL DB seems secure enough. Its just the Flash> PHP part that needs it:

  • encryption (Hashing?)
  • secure connection (HTTPS or HTTP over SSL?)
  • or a better, more direct approach to MySQL database (Remoting?).
0


source


Accessing MySQL directly from AS3 - check: http://code.google.com/p/assql/

0


source






More articles:


All Articles