PHP – Securing data from Flash

PHP – Securing data from Flash

The topic of security in PHP is a long standing one in the developer community. Often times you will find security is simply overlooked. The most recent example (that I found) is the Untraceable movie web site interactive puzzle game. Once you complete the game your time and name is entered into the database to be displayed on the high score screen.

Here is an example of that easy to modify URL (removed the full path)

https://…/score.php?score=02{9eb845e9932a4c0558a0305a78bf1c2d5042d8a06323e6cdeacdb9c8597fbf65}3A41&name=JAMES{9eb845e9932a4c0558a0305a78bf1c2d5042d8a06323e6cdeacdb9c8597fbf65}20B{9eb845e9932a4c0558a0305a78bf1c2d5042d8a06323e6cdeacdb9c8597fbf65}2E

As you can see the time and username are clearly visible in the URL, which in this example is 2 minutes & 41 seconds.

Now that you can see the issue, lets look at how to stop this basic modification ability. This example will use ActionScript 3 and the MD5 library provided by Adobe’s AS3CoreLib.

import com.adobe.crypto.MD5;

var salt:String = "439df098";

function sendScore(name:String, score:String):void
{
  var scoreHash:String = MD5.hash(salt + score);

  var query:String = "?n=" + name +
    "&s=" + score +
    "hash=" + scoreHash;

  var req:URLRequest = new URLRequest("score.php" + query);
  var urlLoader:URLLoader = new URLLoader();
  urlLoader.addEventListener(Event.COMPLETE, scoreSent);
  urlLoader.load(req);
}

sendScore("James", "2:41");

Once the ActionScript is developed, the next step is to work out the PHP.

The PHP will take the same salt (which would be private) and test the hash to determine if the entry is valid.

As you can see this code is not very advanced, but easily protects your score submitting or any type of form submission from fraudulent entries.