Solved

Flash Login Interface, how secure?

Posted on 2008-10-17
7
1,040 Views
Last Modified: 2013-11-11
Hi Experts,

I've made an interface for a website that allows the owners of the site to update data on their website, acces their mailing list & send mails to their subscribers , post news, etc.
The main timeline consists of 1 key frame that dynamically loads the Login mc.
The Login mc then checks the username and password through a php session script file that connects with the server's database where the login data is stored.

when the FlashVars receive a green light from php script the main menu gets loaded using loadMovie() and the other features get enabled.

My guess is this is fairly secure, anyway, It's not Fort Knox' website, right? (I sometimes even wonder about my own internet banking security, but that might be another question...)

I'm wondering however, the functionality of the entire interface lays in the ability to read, write and delete data in xml files that are stored on the server (not in the database). These php and xml files are actually 'in the open'....

So my question is, when calling these php scripts, should I again check if the login session is true? (and how exactly should I do this?)
Can the php files be tampered with, without even running the .swf ? (I almost believe this is a rhetorical question...)
So... how do I secure the php files?

And last but not least, can the xml files get altered externally (without using the swf nor the php scripts?)

Thaks in advance !

d
0
Comment
Question by:Dreammonkey
  • 3
  • 2
  • 2
7 Comments
 
LVL 1

Assisted Solution

by:rmirabelle
rmirabelle earned 250 total points
ID: 22749492
You say the login mc checks the username and password - I assume that it sends the login and password entered by the user to the server and the server performs the check and sends the result back to the login mc?

You mention that the swfs functionality depends on the ability to read xml files that are in the open.  What do these xml files contain?  Hopefully NOT usernames and passwords.  

I'm not sure if I understand you completely, but here's how I would handle logins from an swf.
Your swf collects username and password.
The swf uses LoadVars to send the username and password to a script on your server and await a response.
That script uses the username and password and looks them up on the database.
The script then echos a response of either just 'yes' or 'no'
The swf has been waiting for the response and if the response is 'yes', enables the other parts of the app.

the example code assumes that your receiving script will do the work of checking the login and output this:
echo 'the_response=yes';
or
echo 'the_response=no';

This should be secure enough for most needs.  It would be difficult for someone to impersonate your script and send back a 'yes' response.  And of course, your PHP scripts themselves are not served, so they are secure.  When performing the DB lookup, make sure you prepare the login and password with something like mysql_real_escape_string($_GET['login']) to keep your database safe.

Hope this gives you some ideas
public function login(user:String, password:String) {

     var lv:LoadVars = new LoadVars();

     var url:String = 'http://myserver.com/page.php?login=' + user + '&password=' + password;

     lv.onLoad = function(success) {

          if (success) {

               var result:String = lv.the_response;

               if(result == 'yes') {

                    //enable rest of app

               }

          }

     }

     lv.load(url);

}

Open in new window

0
 
LVL 8

Author Comment

by:Dreammonkey
ID: 22761680
Hi rmirabelle,

Thanks for the comment, my passwords and logins are safely stored in the mysql db , no worries about that, I was just wondering - also in relation to the related question :

If someone could 'hack' the .swf?
Regarding the threads in the related question, I therefore thought of loading the 'important parts' of the .swf at runtime, thinking that this would make it more secure, is that correct?

You said :
    "your PHP scripts themselves are not served, so they are secure."

Could you explain this a little further for me? I don't really know what to understand by "they are not served"....

2nd-ly :
    "When performing the DB lookup, make sure you prepare the login and password with something like mysql_real_escape_string($_GET['login']) to keep your database safe. "

I don't really get that either,
should I implement that in the logincheck.php ?

My check.php looks like this :



<?php

session_start();

$login = $_POST['login'];

$password = $_POST['password'];
 

//mysqldetails

require_once("dbDetails.php");
 

$SQL = "SELECT * FROM members_tbl WHERE username ='".$login."' AND password = '".$password."'";
 

$rs = mysql_query($SQL,$conn);

$numRows = mysql_num_rows($rs);
 
 
 

if($numRows > 0){

	$_SESSION['loggedIn'] = true;

	echo '&login=success&';

	echo '&id='.$login.'&';

}else{

	echo 'login=failure';

}
 

?>

Open in new window

0
 
LVL 50

Assisted Solution

by:Steve Bink
Steve Bink earned 250 total points
ID: 22762471
>>> I don't really know what to understand by "they are not served"....

That means that the PHP scripts themselves are run on the server side.  The end user (in a proper environment) does not have access the the scripts.  They only see the result of them in HTML form.

>>> should I implement that in the logincheck.php ?

Absolutely, yes.  Any data that goes to the database should first be escaped for safety.  You'll want to read through some sections of the PHP manual to understand why this is:

http://www.php.net/manual/en/security.database.sql-injection.php
http://www.php.net/manual/en/function.mysql-real-escape-string.php
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 8

Author Comment

by:Dreammonkey
ID: 22763176
OK, I see where you're getting at...

Still I don't know how to properly formulate, the code ...
Could you help me out?

In the example on the mysql_real_escape_string page at php.net they state :
$query = sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'",
            mysql_real_escape_string($user),
            mysql_real_escape_string($password));
should I take this literally ?
what does the '%s' stand for? And why do they use it twice for a different string ?

my php is poor, I manage with some tutorials and a lot of actionscript, security is a whole new subject...

Thanks is advance

// That's not it, is it?
 

<?php

session_start();

$login = $_POST['login'];

$password = $_POST['password'];

 

//mysqldetails

require_once("dbDetails.php");

 

$SQL = "SELECT * FROM members_tbl WHERE username ='%s' AND password = '%s'";

            mysql_real_escape_string($username),

            mysql_real_escape_string($password));
 

$rs = mysql_query($SQL,$conn);

$numRows = mysql_num_rows($rs);
 

if($numRows > 0){

	$_SESSION['loggedIn'] = true;

	echo '&login=success&';

	echo '&id='.$login.'&';

}else{

	echo 'login=failure';

}

 

?>

Open in new window

0
 
LVL 50

Accepted Solution

by:
Steve Bink earned 250 total points
ID: 22764144
For sprintf(), see here:

http://www.php.net/manual/en/function.sprintf.php

Pay close attention to the format parameter and the examples for it.  The line you are using in your example would effectively be the same as this:

$query = "SELECT * FROM users WHERE user='" . mysql_real_escape_string($user) .
               "' AND password='" . mysql_real_escape_string($password) . "'";

The only problem in your most recent code is that you are using $login for the variable assignment, but $username when you build the query.  Make sure your variable names match what you need.
0
 
LVL 1

Assisted Solution

by:rmirabelle
rmirabelle earned 250 total points
ID: 22764246
swfs can be hacked, at least to a degree, with the use of decompilers.  As such, it's best to keep any actual sensitive data out of them.  It takes extra work to load sensitive data dynamically, but I would say it's necessary for private data - especially stuff like logins and passwords.  Plus, it's good to get the practice with swf to server communication - it's something you'll likely use quite often.

$SQL = sprintf("SELECT * FROM members_tbl WHERE username ='%s' AND password = '%s'", mysql_real_escape_string($username), mysql_real_escape_string($password));

Open in new window

0
 
LVL 8

Author Closing Comment

by:Dreammonkey
ID: 31507346
Sorry It took me so long to assign points,
Thanks for the answers !
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Generating table dynamically is the most common issue faced by php developers.... So it seems there is a need of an article that explains the basic concept of generating tables dynamically. It just requires a basic knowledge of html and little maths…
Author Note: Since this E-E article was originally written, years ago, formal testing has come into common use in the world of PHP.  PHPUnit (http://en.wikipedia.org/wiki/PHPUnit) and similar technologies have enjoyed wide adoption, making it possib…
The viewer will learn how to count occurrences of each item in an array.
The goal of the tutorial is to teach the user what frame rate is, how to control it and what effect it has on the video.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now