I have a php file that stores sensitive data. Can’t really risk anyone decompiling the flash thing and finding out the php path/key.
What to do ? Any ideas? I basically want to make sure the php file only can be called from a swf downloaded from the same server. Is that even technically possible ? I mean the calls from swf will report users ip.
Btw edit; encryption won’t help vs decompiling, neither will storing a password somewhere else since no matter what, flash has to call something to get access… and that call can be decompiled. Thankful for any insight.
Well if PHP has the ability (and I’m not sure if it does) to track what file is calling it and where i.e. your server, then it should be a simple condition.
What you could try is store a value in a database, pass it to Flash then pass it back to php and validate that value. However all you need is firebug to see what that value was so that may not be that great of a solution.
[quote=Digitalosophy;2340439]Well if PHP has the ability (and I’m not sure if it does) to track what file is calling it and where i.e. your server, then it should be a simple condition.
[/quote]
You can track referrer sure, but the “call” will be from the users IP since SWF files are executed locally and not server side.
When the page is first loaded, you could create a session variable within php, like a portion of the md5 of the timestamp, that you pass to the swf as a flashVar. Then, you can compare the two before any sensitive data is exposed. If somebody dl’s the swf and decompiles it, then tries to run it on their localhost server, they won’t know what value to pass to the swf.
Or, you could keep all the sensitive data in PHP, and just have flash request it when needed.
You could use a socket connection. You’d have to write a socket server in php or some other language, but I think it would solve your problem. On the documentation on the Socket class it says:
The calling SWF file and the network resource being accessed must be in exactly the same domain. For example, a SWF file at adobe.com can connect only to a server daemon at adobe.com.
