?
Solved

Flash Login Interface, how secure?

Posted on 2008-10-17
7
Medium Priority
?
1,057 Views
Last Modified: 2013-11-11
Hi Experts,

I've made an interface for a website that allows the owners of the site to update data on their website, acces their mailing list & send mails to their subscribers , post news, etc.
The main timeline consists of 1 key frame that dynamically loads the Login mc.
The Login mc then checks the username and password through a php session script file that connects with the server's database where the login data is stored.

when the FlashVars receive a green light from php script the main menu gets loaded using loadMovie() and the other features get enabled.

My guess is this is fairly secure, anyway, It's not Fort Knox' website, right? (I sometimes even wonder about my own internet banking security, but that might be another question...)

I'm wondering however, the functionality of the entire interface lays in the ability to read, write and delete data in xml files that are stored on the server (not in the database). These php and xml files are actually 'in the open'....

So my question is, when calling these php scripts, should I again check if the login session is true? (and how exactly should I do this?)
Can the php files be tampered with, without even running the .swf ? (I almost believe this is a rhetorical question...)
So... how do I secure the php files?

And last but not least, can the xml files get altered externally (without using the swf nor the php scripts?)

Thaks in advance !

d
0
Comment
Question by:Dreammonkey
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 
LVL 1

Assisted Solution

by:rmirabelle
rmirabelle earned 1000 total points
ID: 22749492
You say the login mc checks the username and password - I assume that it sends the login and password entered by the user to the server and the server performs the check and sends the result back to the login mc?

You mention that the swfs functionality depends on the ability to read xml files that are in the open.  What do these xml files contain?  Hopefully NOT usernames and passwords.  

I'm not sure if I understand you completely, but here's how I would handle logins from an swf.
Your swf collects username and password.
The swf uses LoadVars to send the username and password to a script on your server and await a response.
That script uses the username and password and looks them up on the database.
The script then echos a response of either just 'yes' or 'no'
The swf has been waiting for the response and if the response is 'yes', enables the other parts of the app.

the example code assumes that your receiving script will do the work of checking the login and output this:
echo 'the_response=yes';
or
echo 'the_response=no';

This should be secure enough for most needs.  It would be difficult for someone to impersonate your script and send back a 'yes' response.  And of course, your PHP scripts themselves are not served, so they are secure.  When performing the DB lookup, make sure you prepare the login and password with something like mysql_real_escape_string($_GET['login']) to keep your database safe.

Hope this gives you some ideas
public function login(user:String, password:String) {
     var lv:LoadVars = new LoadVars();
     var url:String = 'http://myserver.com/page.php?login=' + user + '&password=' + password;
     lv.onLoad = function(success) {
          if (success) {
               var result:String = lv.the_response;
               if(result == 'yes') {
                    //enable rest of app
               }
          }
     }
     lv.load(url);
}

Open in new window

0
 
LVL 8

Author Comment

by:Dreammonkey
ID: 22761680
Hi rmirabelle,

Thanks for the comment, my passwords and logins are safely stored in the mysql db , no worries about that, I was just wondering - also in relation to the related question :

If someone could 'hack' the .swf?
Regarding the threads in the related question, I therefore thought of loading the 'important parts' of the .swf at runtime, thinking that this would make it more secure, is that correct?

You said :
    "your PHP scripts themselves are not served, so they are secure."

Could you explain this a little further for me? I don't really know what to understand by "they are not served"....

2nd-ly :
    "When performing the DB lookup, make sure you prepare the login and password with something like mysql_real_escape_string($_GET['login']) to keep your database safe. "

I don't really get that either,
should I implement that in the logincheck.php ?

My check.php looks like this :



<?php
session_start();
$login = $_POST['login'];
$password = $_POST['password'];
 
//mysqldetails
require_once("dbDetails.php");
 
$SQL = "SELECT * FROM members_tbl WHERE username ='".$login."' AND password = '".$password."'";
 
$rs = mysql_query($SQL,$conn);
$numRows = mysql_num_rows($rs);
 
 
 
if($numRows > 0){
	$_SESSION['loggedIn'] = true;
	echo '&login=success&';
	echo '&id='.$login.'&';
}else{
	echo 'login=failure';
}
 
?>

Open in new window

0
 
LVL 51

Assisted Solution

by:Steve Bink
Steve Bink earned 1000 total points
ID: 22762471
>>> I don't really know what to understand by "they are not served"....

That means that the PHP scripts themselves are run on the server side.  The end user (in a proper environment) does not have access the the scripts.  They only see the result of them in HTML form.

>>> should I implement that in the logincheck.php ?

Absolutely, yes.  Any data that goes to the database should first be escaped for safety.  You'll want to read through some sections of the PHP manual to understand why this is:

http://www.php.net/manual/en/security.database.sql-injection.php
http://www.php.net/manual/en/function.mysql-real-escape-string.php
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 8

Author Comment

by:Dreammonkey
ID: 22763176
OK, I see where you're getting at...

Still I don't know how to properly formulate, the code ...
Could you help me out?

In the example on the mysql_real_escape_string page at php.net they state :
$query = sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'",
            mysql_real_escape_string($user),
            mysql_real_escape_string($password));
should I take this literally ?
what does the '%s' stand for? And why do they use it twice for a different string ?

my php is poor, I manage with some tutorials and a lot of actionscript, security is a whole new subject...

Thanks is advance

// That's not it, is it?
 
<?php
session_start();
$login = $_POST['login'];
$password = $_POST['password'];
 
//mysqldetails
require_once("dbDetails.php");
 
$SQL = "SELECT * FROM members_tbl WHERE username ='%s' AND password = '%s'";
            mysql_real_escape_string($username),
            mysql_real_escape_string($password));
 
$rs = mysql_query($SQL,$conn);
$numRows = mysql_num_rows($rs);
 
if($numRows > 0){
	$_SESSION['loggedIn'] = true;
	echo '&login=success&';
	echo '&id='.$login.'&';
}else{
	echo 'login=failure';
}
 
?>

Open in new window

0
 
LVL 51

Accepted Solution

by:
Steve Bink earned 1000 total points
ID: 22764144
For sprintf(), see here:

http://www.php.net/manual/en/function.sprintf.php

Pay close attention to the format parameter and the examples for it.  The line you are using in your example would effectively be the same as this:

$query = "SELECT * FROM users WHERE user='" . mysql_real_escape_string($user) .
               "' AND password='" . mysql_real_escape_string($password) . "'";

The only problem in your most recent code is that you are using $login for the variable assignment, but $username when you build the query.  Make sure your variable names match what you need.
0
 
LVL 1

Assisted Solution

by:rmirabelle
rmirabelle earned 1000 total points
ID: 22764246
swfs can be hacked, at least to a degree, with the use of decompilers.  As such, it's best to keep any actual sensitive data out of them.  It takes extra work to load sensitive data dynamically, but I would say it's necessary for private data - especially stuff like logins and passwords.  Plus, it's good to get the practice with swf to server communication - it's something you'll likely use quite often.

$SQL = sprintf("SELECT * FROM members_tbl WHERE username ='%s' AND password = '%s'", mysql_real_escape_string($username), mysql_real_escape_string($password));

Open in new window

0
 
LVL 8

Author Closing Comment

by:Dreammonkey
ID: 31507346
Sorry It took me so long to assign points,
Thanks for the answers !
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article discusses four methods for overlaying images in a container on a web page
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
In this tutorial viewers will learn how to create a basic shape tween animation in Flash including shape hints for smooth animation Open a new document in Flash: Draw a shape: Select another frame (how long you want the tween to be): Right click and…
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question