Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1060
  • Last Modified:

Flash Login Interface, how secure?

Hi Experts,

I've made an interface for a website that allows the owners of the site to update data on their website, acces their mailing list & send mails to their subscribers , post news, etc.
The main timeline consists of 1 key frame that dynamically loads the Login mc.
The Login mc then checks the username and password through a php session script file that connects with the server's database where the login data is stored.

when the FlashVars receive a green light from php script the main menu gets loaded using loadMovie() and the other features get enabled.

My guess is this is fairly secure, anyway, It's not Fort Knox' website, right? (I sometimes even wonder about my own internet banking security, but that might be another question...)

I'm wondering however, the functionality of the entire interface lays in the ability to read, write and delete data in xml files that are stored on the server (not in the database). These php and xml files are actually 'in the open'....

So my question is, when calling these php scripts, should I again check if the login session is true? (and how exactly should I do this?)
Can the php files be tampered with, without even running the .swf ? (I almost believe this is a rhetorical question...)
So... how do I secure the php files?

And last but not least, can the xml files get altered externally (without using the swf nor the php scripts?)

Thaks in advance !

d
0
Dreammonkey
Asked:
Dreammonkey
  • 3
  • 2
  • 2
4 Solutions
 
rmirabelleCommented:
You say the login mc checks the username and password - I assume that it sends the login and password entered by the user to the server and the server performs the check and sends the result back to the login mc?

You mention that the swfs functionality depends on the ability to read xml files that are in the open.  What do these xml files contain?  Hopefully NOT usernames and passwords.  

I'm not sure if I understand you completely, but here's how I would handle logins from an swf.
Your swf collects username and password.
The swf uses LoadVars to send the username and password to a script on your server and await a response.
That script uses the username and password and looks them up on the database.
The script then echos a response of either just 'yes' or 'no'
The swf has been waiting for the response and if the response is 'yes', enables the other parts of the app.

the example code assumes that your receiving script will do the work of checking the login and output this:
echo 'the_response=yes';
or
echo 'the_response=no';

This should be secure enough for most needs.  It would be difficult for someone to impersonate your script and send back a 'yes' response.  And of course, your PHP scripts themselves are not served, so they are secure.  When performing the DB lookup, make sure you prepare the login and password with something like mysql_real_escape_string($_GET['login']) to keep your database safe.

Hope this gives you some ideas
public function login(user:String, password:String) {
     var lv:LoadVars = new LoadVars();
     var url:String = 'http://myserver.com/page.php?login=' + user + '&password=' + password;
     lv.onLoad = function(success) {
          if (success) {
               var result:String = lv.the_response;
               if(result == 'yes') {
                    //enable rest of app
               }
          }
     }
     lv.load(url);
}

Open in new window

0
 
DreammonkeyAuthor Commented:
Hi rmirabelle,

Thanks for the comment, my passwords and logins are safely stored in the mysql db , no worries about that, I was just wondering - also in relation to the related question :

If someone could 'hack' the .swf?
Regarding the threads in the related question, I therefore thought of loading the 'important parts' of the .swf at runtime, thinking that this would make it more secure, is that correct?

You said :
    "your PHP scripts themselves are not served, so they are secure."

Could you explain this a little further for me? I don't really know what to understand by "they are not served"....

2nd-ly :
    "When performing the DB lookup, make sure you prepare the login and password with something like mysql_real_escape_string($_GET['login']) to keep your database safe. "

I don't really get that either,
should I implement that in the logincheck.php ?

My check.php looks like this :



<?php
session_start();
$login = $_POST['login'];
$password = $_POST['password'];
 
//mysqldetails
require_once("dbDetails.php");
 
$SQL = "SELECT * FROM members_tbl WHERE username ='".$login."' AND password = '".$password."'";
 
$rs = mysql_query($SQL,$conn);
$numRows = mysql_num_rows($rs);
 
 
 
if($numRows > 0){
	$_SESSION['loggedIn'] = true;
	echo '&login=success&';
	echo '&id='.$login.'&';
}else{
	echo 'login=failure';
}
 
?>

Open in new window

0
 
Steve BinkCommented:
>>> I don't really know what to understand by "they are not served"....

That means that the PHP scripts themselves are run on the server side.  The end user (in a proper environment) does not have access the the scripts.  They only see the result of them in HTML form.

>>> should I implement that in the logincheck.php ?

Absolutely, yes.  Any data that goes to the database should first be escaped for safety.  You'll want to read through some sections of the PHP manual to understand why this is:

http://www.php.net/manual/en/security.database.sql-injection.php
http://www.php.net/manual/en/function.mysql-real-escape-string.php
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
DreammonkeyAuthor Commented:
OK, I see where you're getting at...

Still I don't know how to properly formulate, the code ...
Could you help me out?

In the example on the mysql_real_escape_string page at php.net they state :
$query = sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'",
            mysql_real_escape_string($user),
            mysql_real_escape_string($password));
should I take this literally ?
what does the '%s' stand for? And why do they use it twice for a different string ?

my php is poor, I manage with some tutorials and a lot of actionscript, security is a whole new subject...

Thanks is advance

// That's not it, is it?
 
<?php
session_start();
$login = $_POST['login'];
$password = $_POST['password'];
 
//mysqldetails
require_once("dbDetails.php");
 
$SQL = "SELECT * FROM members_tbl WHERE username ='%s' AND password = '%s'";
            mysql_real_escape_string($username),
            mysql_real_escape_string($password));
 
$rs = mysql_query($SQL,$conn);
$numRows = mysql_num_rows($rs);
 
if($numRows > 0){
	$_SESSION['loggedIn'] = true;
	echo '&login=success&';
	echo '&id='.$login.'&';
}else{
	echo 'login=failure';
}
 
?>

Open in new window

0
 
Steve BinkCommented:
For sprintf(), see here:

http://www.php.net/manual/en/function.sprintf.php

Pay close attention to the format parameter and the examples for it.  The line you are using in your example would effectively be the same as this:

$query = "SELECT * FROM users WHERE user='" . mysql_real_escape_string($user) .
               "' AND password='" . mysql_real_escape_string($password) . "'";

The only problem in your most recent code is that you are using $login for the variable assignment, but $username when you build the query.  Make sure your variable names match what you need.
0
 
rmirabelleCommented:
swfs can be hacked, at least to a degree, with the use of decompilers.  As such, it's best to keep any actual sensitive data out of them.  It takes extra work to load sensitive data dynamically, but I would say it's necessary for private data - especially stuff like logins and passwords.  Plus, it's good to get the practice with swf to server communication - it's something you'll likely use quite often.

$SQL = sprintf("SELECT * FROM members_tbl WHERE username ='%s' AND password = '%s'", mysql_real_escape_string($username), mysql_real_escape_string($password));

Open in new window

0
 
DreammonkeyAuthor Commented:
Sorry It took me so long to assign points,
Thanks for the answers !
0

Featured Post

[Webinar On Demand] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

  • 3
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now