[F8] loading image from PHP securely

[alise]

Hi,

any ideas on how to load JPG picture into FLASH without revieling its location and preventing the access to load this JPG without FLASH?

so far I've managed to call LoadMovie('picoutput.php?id=picid'). It sure hides the physical .JPG location on the server, but you can still see the request going to picout.php with all _GET parameters (by using URLHelper or any other traffic request analyser program) and then you can hack and get the picture out in browser directly by executing picout.php URL bypassing FLASH!

In my example FLASH together with PHP are ment to play the picture protector role which doesn't allow the picture to be loaded in any other way than only in FLASH!

maybe somebody have any ideas how to do that?

[kortex]

You could try LoadVars and switch to the POST method (but you will have to update PHP script). Least I have never noticed this method revealing anything.

[alise]

yes, I thought about that already!

the idea is simple - viewer receives mail with the access URL which is something like:
www.mydomain.com?view.php?access=xxx

entering this URL in the browser - it loads a page with the flash embedded and access key passed to it!

Then I think flash should generate some MD5 variation from the access key and request the picoutput.php with two POST parameters: 1) access key, 2) MD5 modified access key.

picoutput.php receives two POST variables and checks if they match (knowing the same algoryth how second parameter was generated by flash)

if everything is okay - it outputs the picture, otherwise - no!

The only problem is that Flash can be hacked and reversed back to actionscript code and the second parameter generating algorythm discovered! Any experience with securing actionscript code?

Or any better ideas in general?

[kortex]

Well As far as I know, flash does not have and MD5 capabilities, thats a PHP thing. I suppose you could take the key into flash, send that key via load vars to another PHP page that encrypts it and returns it to flash and then use the encrypted key to call the image. So even if they decompiled the SWF, the encrypted value itself would not be in the code.

[alise]

I found the md5 implementation for flash already!

but, with the second php file execution - again the same problem - how to ensure that it gives output only when called from this particular flash application!?

[kortex]

Humm this looks like it may be a catch 22. Perhaps some of the other users here will have some ideas.

[calmchess]

hi put the pictures path into a database field then pull it out using php then pass it into flash as an encrypted string....you can encrypt the string easily using mysql....php can extract the string and even insert it and upload a picture.

[keyone.it]

Did work a little on this issue some time ago.
There appears to be no way you can make Flash secure, because anything you put in it can be easily accessed and re-used.

So any kind of key or method that "only your flash movie" would use to access the PHP service, can be replicated.

There is no apparent solution to this problem.. you can make it slightly more difficult for people to access your content, but not impossible.



Remember that Flash sends specific request headers (some of which can be customized), so you can use that too for filtering requests.

Sorry dude...

p.s. In any case if you merge user authentication, secure connection and randomic encription, you can't avoit people from building their own tools to access your images, but you sure will know that whoever accesses the images is a registered user.

[alise]

sure, i understand, that there's no bullet proof solution and everything can be cracked and hacked to get what you need!

therefore I am still searching for the best possible way and combination of PHP and Flash to get the most out of it!

[keyone.it]

Basically take in account that the more intelligence you move on the server, the more you can secure transactions.

You must think of Flash as a very simple item in the website-to-user interface.
All of it can be replicated easily in JS, VBS, Java etc... so don't stick to much to Flash..

[calmchess]

here are some things you can do .

1. create variables using a random number.....random(2000);
2. search strings looking for a certain combination of characters such as .jpg....png etc
don't allow the script to continue to execute unless the proper characters are found

3. encrypt all data outside flash using php or other encryption software before pulling it into flash.
4. create a secure directroy for all your php pages...then use include or include once statments to pull your php into any html pages you are using.
5. secure the directories that contain you .swf and use html not java in your html pages to pull in the .swf

Use loadvars and php session variables to store data or server side actionscript using flash media server

bullet proof no .............better than nothing yes!

[keyone.it]

@calmchess:

1. you know that random() is deprecated, and is not a true random function?

2. why should you not use scripts to load Flash content into the HTML document? you aware of the EOLAS issue in IE?

[alise]

thanks for these bright ideas!

[alise]

keyone, could you describe the second option more detailed?

[calmchess]

I'm not critizing anybody I'm sure there are other security considerations to be taken into account and iplemented.....plz share any security thoughts or tactics that you possess......I'm always learning.

[keyone.it]

Well basically Bill Gates has been slapped in the face by people he stolen code from.
Thus Internet Explorer is no longer capable of loading ActiveX media directly from the markup: it must be printed in the document dynamically (from any kind of script).

You can find all sorts of fixes, but a very good practice is to use the acclaimed swfObject script, that does all the dispatching stuff and loads the content in place.

If you need to find info on this subject, google "EOLAS FIX" and "SWFOBJECT".

Ciao

[keyone.it]

Hey Calmchess, if I appeared to be harsh or rude please forgive me, that wasn't my intent. I'm just stuck at work with too many open windows and sometimes I cut the conversation to the bone!

I was just pointing out two issues in your answer, not for anything but to illustrate and discuss further.

[calmchess]

well If random is deprecated then I say don't use it in a production script but it will still work wonderfully to make random variable names which will be difficult to guess even if all the script does is produce a list of variable names which have to be cut copied and pasted.....as far as not using java script I say that because some people turn it off for security reasons therefore it might not load if thier java is turned off ... its also well known that java can be used to exploit an inproperly secured pc or server. so no to java yes to native flash or html way of embedding .swf into webpage.

[alise]

calmchess - could you describe the random number idea a bit more detailed? i think i am still missing the point with random variable names

[calmchess]

sure

1. a flash page could potentially be reconstructed if the variable names can be easily guessed....the same holds true for php............probably isn't a huge concearn though unless you are building flash that launches military missles or some other government mind control program(just a little humor)

2. using a random number/name for a variable helps to keep your flash variables unique and from coflicting with each other.