1

I have to make connection to the DB and Insert a row based on the data that the SWF sent me...

I will need to make it so that the SWF->PHP part is secure by not letting users tamper with data.

I don't want to use SSL because its not a suitable solution... what other method is available?

rook
  • 66,304
  • 38
  • 162
  • 239
Melina
  • 21
  • 1
  • 5
  • This question is way too broad. You need to build good interfaces to prevent users from tampering with data. SSL and encryption are no help there at all - they just make the connection between user and system secure. You'll need to show what you do, and ask in more detail about the interactions that take place – Pekka Oct 23 '10 at 11:48
  • For example, a flash game... It sends a score to PHP to be recorded. The score shouldn't be tampered with or it becomes unfair. – Melina Oct 23 '10 at 11:50
  • possible duplicate of [Suggestions for (semi) securing high-scores in Flash/PHP game...](http://stackoverflow.com/questions/303255/suggestions-for-semi-securing-high-scores-in-flash-php-game) – Paul Dixon Oct 23 '10 at 11:55
  • Sorry, i wasn't good at searching i guess, i couldnt find anything related to hiscores – Melina Oct 23 '10 at 12:24
  • Check this out for some ideas: http://stackoverflow.com/questions/73947/what-is-the-best-way-to-stop-people-hacking-the-php-based-highscore-table-of-a-f – Juan Pablo Califano Oct 23 '10 at 14:53
  • PS: Also, keep in mind that making your flow secure in a strict sense is not possible. There're a couple of things you can do to make tampering data more difficult (as shown in answers in the link above). Ideally, to the point it makes no sense to try to cheat, because it's more work than it's worth. – Juan Pablo Califano Oct 23 '10 at 14:55
  • Why is SSL not suitable or secure? – Kumsal Obuz Oct 23 '10 at 15:22
  • @kubarium. SSL will prevent a third party from understanding the client/server conversation (as its encrypted). It will make the channel secure from 3rd party sniffing. But it won't preventing one of the endpoints from forging data. – Juan Pablo Califano Oct 23 '10 at 15:54

4 Answers4

1

The firefox plugin TamperData can manipulate any request sent by the browser regardless of https.

To make sure the message wasn't modified on the wire you can use an HMAC. The secret key K can be packaged with the flash application and a flash obfuscater can be used. However, this is security though obscurity and any hacker with an afternoon to kill will be able to fool this system. However this is the best that you can do.

rook
  • 66,304
  • 38
  • 162
  • 239
0
  1. Encode data in client with private key.
  2. Send it to php server
  3. Decode data in php and add it to database

OR Make all the possible and use HTTPS / SSL

Adrian Pirvulescu
  • 4,308
  • 3
  • 30
  • 47
  • Pirvulescu. SSL does not add any security here. SSL secures the *channel* (meaning, it prevents a third party from sniffing the client/server conversation). It does not prevent one party from tampering the exchanged data. – Juan Pablo Califano Nov 03 '10 at 03:21
0

You may have luck with AMFPHP. Quoted from the SourceForge page:

"AMF allows for binary serialization of Action Script (AS2, AS3) native types and objects to be sent to server side services."

While no method is foolproof, I tend to lean toward this - or making socket connections to a local socket server which then handles database interaction.

mway
  • 4,334
  • 3
  • 26
  • 37
0

Send a salted hash of the serialized data you are sending. Then check that key on the server. This again whilst not foolproof will help stop 99% of your fraud.

Also make sure you encrypt your swf so the hash salt and salting method can not be exposed.

buggedcom
  • 1,537
  • 2
  • 18
  • 34