PHP - Securing data from Flash
The topic of security in PHP is a long standing one in the developer community. Often times you will find security is simply overlooked. The most recent example (that I found) is the Untraceable movie web site interactive puzzle game. Once you complete the game your time and name is entered into the database to be displayed on the high score screen.
Here is an example of that easy to modify URL (removed the full path)
http://…/score.php?score=02%3A41&name=JAMES%20B%2E
As you can see the time and username are clearly visible in the URL, which in this example is 2 minutes & 41 seconds.
Now that you can see the issue, lets look at how to stop this basic modification ability. This example will use ActionScript 3 and the MD5 library provided by Adobe’s AS3CoreLib.
| actionscript | |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 | import com.adobe.crypto.MD5; var salt:String = "439df098"; function sendScore(name:String, score:String):void { var scoreHash:String = MD5.hash(salt + score); var query:String = "?n=" + name + "&s=" + score + "hash=" + scoreHash; var req:URLRequest = new URLRequest("score.php" + query); var urlLoader:URLLoader = new URLLoader(); urlLoader.addEventListener(Event.COMPLETE, scoreSent); urlLoader.load(req); } sendScore("James", "2:41"); |
Once the ActionScript is developed, the next step is to work out the PHP.
The PHP will take the same salt (which would be private) and test the hash to determine if the entry is valid.
| php | |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 | <?php // connection to database goes here $salt = "439df098"; $name = $_GET['n']; $score = $_GET['s']; $hash = $_GET['hash']; if($hash == md5($salt + $score)) { // Valid score submission. // enter score in database at this point. } else { // error, log IP address for security purposes } ?> |
As you can see this code is not very advanced, but easily protects your score submitting or any type of form submission from fraudulent entries.
