Solved

Flash Login Interface, how secure?

Posted on 2008-10-17
7
1,056 Views
Last Modified: 2013-11-11
Hi Experts,

I've made an interface for a website that allows the owners of the site to update data on their website, acces their mailing list & send mails to their subscribers , post news, etc.
The main timeline consists of 1 key frame that dynamically loads the Login mc.
The Login mc then checks the username and password through a php session script file that connects with the server's database where the login data is stored.

when the FlashVars receive a green light from php script the main menu gets loaded using loadMovie() and the other features get enabled.

My guess is this is fairly secure, anyway, It's not Fort Knox' website, right? (I sometimes even wonder about my own internet banking security, but that might be another question...)

I'm wondering however, the functionality of the entire interface lays in the ability to read, write and delete data in xml files that are stored on the server (not in the database). These php and xml files are actually 'in the open'....

So my question is, when calling these php scripts, should I again check if the login session is true? (and how exactly should I do this?)
Can the php files be tampered with, without even running the .swf ? (I almost believe this is a rhetorical question...)
So... how do I secure the php files?

And last but not least, can the xml files get altered externally (without using the swf nor the php scripts?)

Thaks in advance !

d
0
Comment
Question by:Dreammonkey
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 
LVL 1

Assisted Solution

by:rmirabelle
rmirabelle earned 250 total points
ID: 22749492
You say the login mc checks the username and password - I assume that it sends the login and password entered by the user to the server and the server performs the check and sends the result back to the login mc?

You mention that the swfs functionality depends on the ability to read xml files that are in the open.  What do these xml files contain?  Hopefully NOT usernames and passwords.  

I'm not sure if I understand you completely, but here's how I would handle logins from an swf.
Your swf collects username and password.
The swf uses LoadVars to send the username and password to a script on your server and await a response.
That script uses the username and password and looks them up on the database.
The script then echos a response of either just 'yes' or 'no'
The swf has been waiting for the response and if the response is 'yes', enables the other parts of the app.

the example code assumes that your receiving script will do the work of checking the login and output this:
echo 'the_response=yes';
or
echo 'the_response=no';

This should be secure enough for most needs.  It would be difficult for someone to impersonate your script and send back a 'yes' response.  And of course, your PHP scripts themselves are not served, so they are secure.  When performing the DB lookup, make sure you prepare the login and password with something like mysql_real_escape_string($_GET['login']) to keep your database safe.

Hope this gives you some ideas
public function login(user:String, password:String) {
     var lv:LoadVars = new LoadVars();
     var url:String = 'http://myserver.com/page.php?login=' + user + '&password=' + password;
     lv.onLoad = function(success) {
          if (success) {
               var result:String = lv.the_response;
               if(result == 'yes') {
                    //enable rest of app
               }
          }
     }
     lv.load(url);
}

Open in new window

0
 
LVL 8

Author Comment

by:Dreammonkey
ID: 22761680
Hi rmirabelle,

Thanks for the comment, my passwords and logins are safely stored in the mysql db , no worries about that, I was just wondering - also in relation to the related question :

If someone could 'hack' the .swf?
Regarding the threads in the related question, I therefore thought of loading the 'important parts' of the .swf at runtime, thinking that this would make it more secure, is that correct?

You said :
    "your PHP scripts themselves are not served, so they are secure."

Could you explain this a little further for me? I don't really know what to understand by "they are not served"....

2nd-ly :
    "When performing the DB lookup, make sure you prepare the login and password with something like mysql_real_escape_string($_GET['login']) to keep your database safe. "

I don't really get that either,
should I implement that in the logincheck.php ?

My check.php looks like this :



<?php
session_start();
$login = $_POST['login'];
$password = $_POST['password'];
 
//mysqldetails
require_once("dbDetails.php");
 
$SQL = "SELECT * FROM members_tbl WHERE username ='".$login."' AND password = '".$password."'";
 
$rs = mysql_query($SQL,$conn);
$numRows = mysql_num_rows($rs);
 
 
 
if($numRows > 0){
	$_SESSION['loggedIn'] = true;
	echo '&login=success&';
	echo '&id='.$login.'&';
}else{
	echo 'login=failure';
}
 
?>

Open in new window

0
 
LVL 51

Assisted Solution

by:Steve Bink
Steve Bink earned 250 total points
ID: 22762471
>>> I don't really know what to understand by "they are not served"....

That means that the PHP scripts themselves are run on the server side.  The end user (in a proper environment) does not have access the the scripts.  They only see the result of them in HTML form.

>>> should I implement that in the logincheck.php ?

Absolutely, yes.  Any data that goes to the database should first be escaped for safety.  You'll want to read through some sections of the PHP manual to understand why this is:

http://www.php.net/manual/en/security.database.sql-injection.php
http://www.php.net/manual/en/function.mysql-real-escape-string.php
0
Creating Instructional Tutorials  

For Any Use & On Any Platform

Contextual Guidance at the moment of need helps your employees/users adopt software o& achieve even the most complex tasks instantly. Boost knowledge retention, software adoption & employee engagement with easy solution.

 
LVL 8

Author Comment

by:Dreammonkey
ID: 22763176
OK, I see where you're getting at...

Still I don't know how to properly formulate, the code ...
Could you help me out?

In the example on the mysql_real_escape_string page at php.net they state :
$query = sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'",
            mysql_real_escape_string($user),
            mysql_real_escape_string($password));
should I take this literally ?
what does the '%s' stand for? And why do they use it twice for a different string ?

my php is poor, I manage with some tutorials and a lot of actionscript, security is a whole new subject...

Thanks is advance

// That's not it, is it?
 
<?php
session_start();
$login = $_POST['login'];
$password = $_POST['password'];
 
//mysqldetails
require_once("dbDetails.php");
 
$SQL = "SELECT * FROM members_tbl WHERE username ='%s' AND password = '%s'";
            mysql_real_escape_string($username),
            mysql_real_escape_string($password));
 
$rs = mysql_query($SQL,$conn);
$numRows = mysql_num_rows($rs);
 
if($numRows > 0){
	$_SESSION['loggedIn'] = true;
	echo '&login=success&';
	echo '&id='.$login.'&';
}else{
	echo 'login=failure';
}
 
?>

Open in new window

0
 
LVL 51

Accepted Solution

by:
Steve Bink earned 250 total points
ID: 22764144
For sprintf(), see here:

http://www.php.net/manual/en/function.sprintf.php

Pay close attention to the format parameter and the examples for it.  The line you are using in your example would effectively be the same as this:

$query = "SELECT * FROM users WHERE user='" . mysql_real_escape_string($user) .
               "' AND password='" . mysql_real_escape_string($password) . "'";

The only problem in your most recent code is that you are using $login for the variable assignment, but $username when you build the query.  Make sure your variable names match what you need.
0
 
LVL 1

Assisted Solution

by:rmirabelle
rmirabelle earned 250 total points
ID: 22764246
swfs can be hacked, at least to a degree, with the use of decompilers.  As such, it's best to keep any actual sensitive data out of them.  It takes extra work to load sensitive data dynamically, but I would say it's necessary for private data - especially stuff like logins and passwords.  Plus, it's good to get the practice with swf to server communication - it's something you'll likely use quite often.

$SQL = sprintf("SELECT * FROM members_tbl WHERE username ='%s' AND password = '%s'", mysql_real_escape_string($username), mysql_real_escape_string($password));

Open in new window

0
 
LVL 8

Author Closing Comment

by:Dreammonkey
ID: 31507346
Sorry It took me so long to assign points,
Thanks for the answers !
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

These days socially coordinated efforts have turned into a critical requirement for enterprises.
3 proven steps to speed up Magento powered sites. The article focus is on optimizing time to first byte (TTFB), full page caching and configuring server for optimal performance.
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
The goal of the tutorial is to teach the user what frame rate is, how to control it and what effect it has on the video.

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question