Tutorial :Hiding flash parameters in a php script



Question:

I would like to call a swf file which takes some parameters, but I do not want those parameters to visible on the client (let's say a secret authentication token or something like that).

I thought I would write a simple PHP proxy script like this:

header('Content-type: application/x-shockwave-flash');  readfile('http://path/to/swf/file.swf?here=are&some=parameters');  

And then simply to do

<embed src="/path/to/php/proxy.php'/>  

But the flash parameters don't seem to be making it to the swf. Is something like this possible?


Solution:1

There is no way to start a flash movie with any parameters that are not invisible to the user. (You always could use Firebug or something similar.)
Easiest approach would be to recieve the data from the server after starting the movie and encrypt the communication between them.


Solution:2

The way you are doing it the parameters are not being sent as part of the GET request so Flash never sees them.

There is no straight forward way of doing what you want, but your best bet is to re-generate the auth token for the user each time they log-in, and even rotate the token after each call you make to the server.

The real thing is that you can't hide anything from a sniffer (like Fiddler/WireShark/Charles) so a dynamic token is probably the only way to go (resorting to HTTPS/AMF and anything palliative for securing the transport layer will just be an extra, as your primary token would still be in the clear.)


Solution:3

Think again what you are doing. You are reading a swf file from disk and serves it to the user. I wonder why the file system takes the added "parameters" without error. Then the flash gets executed on the users machine. Where are the arguments, now? You did not send them to the user, did you? You did not modify the flash file, did you? So yea, you are basically out of luck... You are only doing the same thing a web server does, only slower.

What you can do though, use a cross site scripting approach. Send out the frame HTML with a randomly generated "pass phrase". You store the "pass phrase" somewhere, like a database. Then use code such as:

<embed src="/path/to/php/proxy.php?pass=dfkhslrufbeuip'/>  

Only ever serve the file if it is a valid pass phrase.

Ok the flash is not protected, the user can still "save as" and play it alone. But at least you don't have the trouble of someone hogging your bandwidth from a different site...


Solution:4

GET parameters don't work that way. They only work through the web. Can your SWF file accept parameters through some other method such as POST?

The best way would be to encrypt them but almost anything you do will likely require changing the Flash to accept some other kind of input.


Note:If u also have question or solution just comment us below or mail us on toontricks1994@gmail.com
Previous
Next Post »