Can PHP Pass Variables to Flash Without Revealing Them?
Normally in a web page you have your code to display a Flash movie which points to the source SWF file (e.g. src=”example.swf” or value=”example.swf”). I can replace the SWF file with a PHP script which will output the same movie (e.g. src=”example.php”) so that the end result is the same. The PHP script can be as simple as:
This works. However my issue is that I need to pass variables into example.swf so that the user doesn’t see them. In the above example I tried to use $file = ‘example.swf?foo=bar’; but that failed, as did trying to append a query string to the SWF file in the readfile line. Placing the query string in the header line isn’t an option since users can see that. Does anyone know of a way to pass variables to a SWF in PHP so that PHP can output the movie to the user?
There's another possibility, a little more flexible than using .htaccess, which is to point your embed tag source to a php file that writes out a 303 redirect header to the .swf location, including any variables you want to pass. I haven't seen this used much... it's something I came up with for the sexypolitics widget b/c they needed a way to track the inbound user's referring IP address even when it was embedded on myspace or other sites
myspace fiddled with the rules a bit so an embed tag then had to point to an actual .swf postfixed file, so at that point I renamed my php file to index.swf and set .htaccess on the folder to parse it as a php file regardless. I don't know your purpose, or if any of that matters. But basically if you set your embed tag source to be 'mysite.com/swf/' and make the index.php of the swf/ directory say something like:
header("Location: MySWF.swf?a=$a&b=$b",TRUE,303);
you can pass whatever you want in there, and you get the bonus of the HTTP_REFERER being recognized as the remote address, not the site the .swf is being embedded on -- so you can pass that IP into your .swf as a flashvar, too.
The only side effect of an actual header redirect is that if someone hit mysite.com/swf/ with their browser, they'll be redirected and the variables will be exposed. But, I guess you could do a mix of both to achieve the desired result. Hit a php script, do a redirect to another script, which matches a rewrite rule to append the variables.
if you feel that variables should not be visible in the page that embeds the example.php,
a) using a crypted string could help. someone dedicated could still decompile the movie to try and get the data
b) the movie could call back to your server and get the variables it wants from session variables
c) finally, once in the miracle world of php anyway, how about a script that amends your movie with some custom actionscript setting variables on _root.
You could have a look at the first entry at http://www.fontimages.org.uk - note that this script will not work with AS3
Yeah, it should be noted that there is no way to keep a determined viewer from seeing anything that you pass to the client side, whether the client's in flash, js, java, or anything else; if you're sending it over the wire to the client, it will be readable. Trying to obfuscate your variables or hide them or encrypt them makes it a little bit more difficult and a little less accessible to the average Joe. You can go a step further and write js confirmation code into whatever page is holding the flash file and do an external interface call to compare the flashvars received to those hidden in js vars on the page. That at least will keep the object from running out of context (e.g. it will not work if someone goes directly to the swf address).
At the end of the day, you just have to make sure all your logic is happening on the back-end, and that none of the data or server methods you're exposing to the client constitute a security risk.
Using ssl encrypts the response over the wire, but it's still being decrypted on the client side, so an https sniffer employed by the client can still read the data that the server's sending.
Can you give an example of a type of data you want to send into Flash that you need the user to have absolutely no access to? There's usually a way to structure your server-side to get around sending sensitive data to the browser, so that whatever processing needs the secure data is done on the server, and the rest of the processing on that result is left to the client...
The only side effect of an actual header redirect is that if someone hit mysite.com/swf/ with their browser, they'll be redirected and the variables will be exposed. But, I guess you could do a mix of both to achieve the desired result. Hit a php script, do a redirect to another script, which matches a rewrite rule to append the variables.
Pick your poison!
What if you use "_url" to check if they are mysite.com/swf/swf.swf?var1=v1&.... or if they are at mysite.com ? That way they are forced to view the swf from mysite.com not the actual file on your server.
To respond with a fully loaded SWF after reading the meta information from a database. In the database I would have the identifier "video1234" tagged with the location of the video, the title, related content, etc. The flashvars of the SWF would then be populated with the metadata.
It doesn't seem very easy to insert flashvars into an SWF file if you're passing it through PHP using the header method. It looks like my options are:
1. Redirect to the URL of the SWF with the flashvars in the query parameters. I don't want to do this. I want the URL in the bar to still appear to be http://www.example.com/video/video1234
2. Use URL rewriting and redirect to the SWF file. So a user hitting http://www.example.com/video/video1234 would behind the scenes be looking at http://www.example.com/swf/video.swf?v=video1234 - The SWF then could request its metadata directly from the database using the "video1234" identifier. This sounds like a fine solution, but I would prefer to have the code in PHP rather than in Actionscript. It's faster and easier to modify, and fits in better with the code I already have on the site.
3. A slight modification to 2) (and this seems like my best option) is to then call out to a PHP script like http://www.example.com/videometa/video1234 that would respond with some XML, but the round trip on this solution is costly. User hits URL, is redirected to SWF, which calls out to PHP, parses XML and finally plays the video. I'm fine with caching the final result, so maybe it's not ultimately the worst way to do this.
4. Use some code library that rips open the SWF, reads the bits and sticks in the flashvars. I have not even begun to work with this solution. It looks hard to debug and error prone, but maybe it's workable.
5. Use a PHP flash library such as Ming. Perhaps Ming could take an already coded SWF or FLA and write out the compiled SWF with the flashvars in it. I haven't gone very far down this road. I don't know how well it performs, among other things.
Do I have all of the options already? Does anyone have any comments? Any thoughts are greatly appreciated.
If all you're worried about is someone being able to call up your .flv on demand by faking that identifier in the flashvars, we've got a fairly good solution that we created when we built SexyPolitics.com... Upon loading, a PHP script creates a random token and writes it into a database table, keyed to the particular FLV you want to play (use a MEMORY engine for speed); that token is sent to Flash either in the initial flashvars or by a later URLRequest. When it's time to play the video, Flash then passes that token back to a PHP file which checks its validity, determines which .flv it refers to, deletes the token from the database, and streams the .flv file on success. Because the .flv is streamed through the PHP file that accepts or rejects the token, but resides in a folder blocked to the outside web by an .htaccess file, this prevents users from directly accessing the .flv; and since the token is single-use, they can't make a second request with the same token against the PHP file. It's not 100% fool-proof, but it ain't too bad.
There's another possibility, a little more flexible than using .htaccess, which is to point your embed tag source to a php file that writes out a 303 redirect header to the .swf location, including any variables you want to pass. I haven't seen this used much... it's something I came up with for the sexypolitics widget b/c they needed a way to track the inbound user's referring IP address even when it was embedded on myspace or other sites
myspace fiddled with the rules a bit so an embed tag then had to point to an actual .swf postfixed file, so at that point I renamed my php file to index.swf and set .htaccess on the folder to parse it as a php file regardless. I don't know your purpose, or if any of that matters. But basically if you set your embed tag source to be 'mysite.com/swf/' and make the index.php of the swf/ directory say something like:
header("Location: MySWF.swf?a=$a&b=$b",TRUE,303);
you can pass whatever you want in there, and you get the bonus of the HTTP_REFERER being recognized as the remote address, not the site the .swf is being embedded on -- so you can pass that IP into your .swf as a flashvar, too.
This is a very nice solution. The problem is that it doesn't work in Internet explorer. The arguments are not passed.
Do you have any idea why?
I've added a zip files with an example. The flash is waiting for id_country and id_language. If you test in firefox it works. In Internet explorer, Not.
My guess, looking at your code, is that IE is failing to pass the REQUEST variables you want.
I'm not saying this solution would work if you don't already know the address of the final php file or swf file in question. What it looks like you're doing is trying to use the 303 to perform a man-in-the-middle attack through an swf embed on a myspace page. This is not how the hack was designed to work. It's highly possible that client-side variables other than GET and POST would be lost in some browsers trying to pass data this way through a third party site like myspace. Either way, this was designed to strip HTTP_REFERER from the client when putting a widget on a third party site, not to use a 303 as a gateway in those sites to funnel whatever swf you want in... I think you're probably doing something malicious so I'll let you figure out the details for yourself.
My guess, looking at your code, is that IE is failing to pass the REQUEST variables you want.
I'm not saying this solution would work if you don't already know the address of the final php file or swf file in question. What it looks like you're doing is trying to use the 303 to perform a man-in-the-middle attack through an swf embed on a myspace page. This is not how the hack was designed to work. It's highly possible that client-side variables other than GET and POST would be lost in some browsers trying to pass data this way through a third party site like myspace. Either way, this was designed to strip HTTP_REFERER from the client when putting a widget on a third party site, not to use a 303 as a gateway in those sites to funnel whatever swf you want in... I think you're probably doing something malicious so I'll let you figure out the details for yourself.
Hi,
There's nothing malicious in what im doing, its just a question of centralize the download of any file of the webapp (internal) in a get_file manager. I have somefiles that are in the cachefly and other that are not. I have a develop server that has to read all the files locally and a production server that has to read some files in a cache fly.
The src of the files are keeped in a database and i just want to save in db the relative path not the cachefly path netheir the local path. That is managed by the get_file.
What i've sended its just a test. The 303 was in a desesperate way to make the things work.
It happens the same if i take off the 303 and left only the:
header("Location: $url_with_args");
Im seeing in the appache and in fact the apache receives a request first for the php get_file and then for the swf with the args.
It happens when i call the script from the firefox or from the internet explorer.
The thing is that firefox loads the swf and receive the args.
Internet explorer loads the swf but widthout args.
Can PHP Pass Variables to Flash Without Revealing Them?
Reply With Quote
Originally Posted by MyFriendIsATaco
