I’m helping out a friend with some changes to their complex flash site after their previous developer jumped ship on them.
In the process of making some edits I noticed that the previous developer had exposed all of their data to the world. Any slightly tech-savy user could pretty much read all the table data in their database by visiting a php page. Lovely.
So here’s the scenario I’m trying to solve.
The flash site uses Shared Objects to save users access privileges when they log in successfully.
there are frequent calls to the database to display information (whether logged in or not). The site calls a php page… lets say… query.php?table=“tablename” and returns all tables data… (what a mess). Only specific columns are needed to be returned to the user (whether they are logged in or NOT logged in). there is no check to see if the user is logged in or not when this page is called. so anyone can call a page and get this data.
only the ADMIN should get returned the full table set as they are the ones that need to see all the data in flash. however the same php query is called for the admin and for the regular user and any non-logged in user.
So. I guess I can limit the data set returned for the average logged in or not logged in user so the more sensitive data isn’t shared. But how can I authenticate the logged in admin to share the full table data?
Hope this makes sense. Any help is appreciated.