Dreammonkey
asked on
Flash Login Interface, how secure?
Hi Experts,
I've made an interface for a website that allows the owners of the site to update data on their website, acces their mailing list & send mails to their subscribers , post news, etc.
The main timeline consists of 1 key frame that dynamically loads the Login mc.
The Login mc then checks the username and password through a php session script file that connects with the server's database where the login data is stored.
when the FlashVars receive a green light from php script the main menu gets loaded using loadMovie() and the other features get enabled.
My guess is this is fairly secure, anyway, It's not Fort Knox' website, right? (I sometimes even wonder about my own internet banking security, but that might be another question...)
I'm wondering however, the functionality of the entire interface lays in the ability to read, write and delete data in xml files that are stored on the server (not in the database). These php and xml files are actually 'in the open'....
So my question is, when calling these php scripts, should I again check if the login session is true? (and how exactly should I do this?)
Can the php files be tampered with, without even running the .swf ? (I almost believe this is a rhetorical question...)
So... how do I secure the php files?
And last but not least, can the xml files get altered externally (without using the swf nor the php scripts?)
Thaks in advance !
d
I've made an interface for a website that allows the owners of the site to update data on their website, acces their mailing list & send mails to their subscribers , post news, etc.
The main timeline consists of 1 key frame that dynamically loads the Login mc.
The Login mc then checks the username and password through a php session script file that connects with the server's database where the login data is stored.
when the FlashVars receive a green light from php script the main menu gets loaded using loadMovie() and the other features get enabled.
My guess is this is fairly secure, anyway, It's not Fort Knox' website, right? (I sometimes even wonder about my own internet banking security, but that might be another question...)
I'm wondering however, the functionality of the entire interface lays in the ability to read, write and delete data in xml files that are stored on the server (not in the database). These php and xml files are actually 'in the open'....
So my question is, when calling these php scripts, should I again check if the login session is true? (and how exactly should I do this?)
Can the php files be tampered with, without even running the .swf ? (I almost believe this is a rhetorical question...)
So... how do I secure the php files?
And last but not least, can the xml files get altered externally (without using the swf nor the php scripts?)
Thaks in advance !
d
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
OK, I see where you're getting at...
Still I don't know how to properly formulate, the code ...
Could you help me out?
In the example on the mysql_real_escape_string page at php.net they state :
$query = sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'",
mysql_real_escape_string($ user),
mysql_real_escape_string($ password)) ;
should I take this literally ?
what does the '%s' stand for? And why do they use it twice for a different string ?
my php is poor, I manage with some tutorials and a lot of actionscript, security is a whole new subject...
Thanks is advance
Still I don't know how to properly formulate, the code ...
Could you help me out?
In the example on the mysql_real_escape_string page at php.net they state :
$query = sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'",
mysql_real_escape_string($
mysql_real_escape_string($
should I take this literally ?
what does the '%s' stand for? And why do they use it twice for a different string ?
my php is poor, I manage with some tutorials and a lot of actionscript, security is a whole new subject...
Thanks is advance
// That's not it, is it?
<?php
session_start();
$login = $_POST['login'];
$password = $_POST['password'];
//mysqldetails
require_once("dbDetails.php");
$SQL = "SELECT * FROM members_tbl WHERE username ='%s' AND password = '%s'";
mysql_real_escape_string($username),
mysql_real_escape_string($password));
$rs = mysql_query($SQL,$conn);
$numRows = mysql_num_rows($rs);
if($numRows > 0){
$_SESSION['loggedIn'] = true;
echo '&login=success&';
echo '&id='.$login.'&';
}else{
echo 'login=failure';
}
?>
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Sorry It took me so long to assign points,
Thanks for the answers !
Thanks for the answers !
ASKER
Thanks for the comment, my passwords and logins are safely stored in the mysql db , no worries about that, I was just wondering - also in relation to the related question :
If someone could 'hack' the .swf?
Regarding the threads in the related question, I therefore thought of loading the 'important parts' of the .swf at runtime, thinking that this would make it more secure, is that correct?
You said :
"your PHP scripts themselves are not served, so they are secure."
Could you explain this a little further for me? I don't really know what to understand by "they are not served"....
2nd-ly :
"When performing the DB lookup, make sure you prepare the login and password with something like mysql_real_escape_string($
I don't really get that either,
should I implement that in the logincheck.php ?
My check.php looks like this :
Open in new window