dcsimg
A Flash Developer Resource Site

Results 1 to 10 of 10

Thread: Some questions about animations & PHP

  1. #1
    Junior Member
    Join Date
    Sep 2002
    Posts
    28

    Arrow

    Hi, i'm working on a site where you can store pictures only (for now) but i also would like to support you by storing animations like swf files. But there's a problem some of the swf files contains data files and things like that, how can i prevent (with php) that when i show a movie to a user using a link om my page that the script writes files or data to my server?


  2. #2
    Junior Member
    Join Date
    Sep 2002
    Posts
    28
    pls anyone?

  3. #3
    Registered User
    Join Date
    Feb 2001
    Posts
    13,044
    Hi,

    if someone submits swf with text files, place it in its own folder
    Dont accept swf with php or perl files unless you are willing to verify them (even if they are not designed to write to your server, they might contain errors increasing the server load

    Musicman

  4. #4
    Junior Member
    Join Date
    Sep 2002
    Posts
    28
    So it's best to check them out before adding to the 'list'? cauze if there are 10.000 ppl adding swf files to my server i can't / wil check them out... isn't there something to fix for (to check the files?)

  5. #5
    Registered User
    Join Date
    Feb 2001
    Posts
    13,044
    Hi,

    allow only
    swf
    txt
    zip (or other package format) containing swf and txt in same folder.
    If someone needs server interaction, advise them to load a secondary movie from their own server and do the scripting there

    Musicman

  6. #6
    Junior Member
    Join Date
    Sep 2002
    Posts
    28
    Originally posted by Musicman
    Hi,

    allow only
    swf
    txt
    zip (or other package format) containing swf and txt in same folder.
    If someone needs server interaction, advise them to load a secondary movie from their own server and do the scripting there

    Musicman
    neat idea, i'll only grant access for swf files and nothing more!!... hoping that that's enough!

    Grtz

  7. #7
    Senior Member
    Join Date
    Mar 2002
    Posts
    161
    If you don't want to allow any swf interaction with the server, refuse any swf that require txt or other files.

    Then, you can have your script place all uploaded swf files into a separate directory, and chmod both that directory and the uploaded swf files in that directory to a level on your server which will prevent malicious use (ask your admin for proper level, varies on some setups). Let the server do most of the work for you.

    If you allow any server-swf interation without reviewing the fla or a decompilation first, you have no idea what the author may have hidden, nor what triggering mechanisms may be employed in the submitted swf file. Ex: Someone could submit a seemingly harmless swf file that has malicious code which is only triggered on a certain date by certain keypress combos.

  8. #8
    Junior Member
    Join Date
    Sep 2002
    Posts
    28
    Originally posted by JerryJ
    If you don't want to allow any swf interaction with the server, refuse any swf that require txt or other files.

    Then, you can have your script place all uploaded swf files into a separate directory, and chmod both that directory and the uploaded swf files in that directory to a level on your server which will prevent malicious use (ask your admin for proper level, varies on some setups). Let the server do most of the work for you.

    If you allow any server-swf interation without reviewing the fla or a decompilation first, you have no idea what the author may have hidden, nor what triggering mechanisms may be employed in the submitted swf file. Ex: Someone could submit a seemingly harmless swf file that has malicious code which is only triggered on a certain date by certain keypress combos.
    I don't fully understand you (i'm dutch) but i understand that there is no way to do a check of what the .fla (swf) animation does fully... maby i only can grant access for reading that file and not other files or something.

  9. #9
    Registered User
    Join Date
    Feb 2001
    Posts
    13,044
    Hi,

    unless you can place every swf into a subdomain of its own, or every swf gets a different htaccess protection, there is no way to restrict accesses from those swf's to any files on the server (and there is no way to stop people using their browser to access any of these files)
    So, to make up some crazy scenarios: you have a forum on your site that uses cookie based login ... and someone uploads a swf that sends somebody's valid login to /forum/login.php (effectively logging in all visitors to the forum under one name) or a swf that asks for some non-existing file once per second (to create a heavy server load)
    Both can hardly be prevented, and both could be classified as annoying rather than harmful

    Musicman

  10. #10
    Junior Member
    Join Date
    Sep 2002
    Posts
    28
    Let me explain it on another way

    users can now upload pictures onto my website for showing (publishing) them on the web (everywhere they like)

    when users upload a swf file i won't want them to add a file or read files from the webserver, the animation may only show graphical art (that's included in the swf/fla file) nothing more nothing less, that's all..


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  




Click Here to Expand Forum to Full Width

HTML5 Development Center