PHP File Access

what about breaking them down into 'if' statements
just use a page.php?showme=1
if ($showme == 1) {
0=1;
ID=1;
1=Comp.swf;
initials=C.swf;
}
...
but remember variables can't start with a number

also how is the info getting there, from a link or form, post and get do different things

Busy, that's PHP formatted data being sent to Flash MX, which I copied by visiting the PHP page.

I only want that page to be accessed by the Flash MX file...in other words, I don't want someone to freely access 'contentEngine.php' and grab all the name/value attribute pairs.

Cheers,

Tony

PHP to flash, hmmm - pass

just use some validation on the 'contentEngine.php' page, a referrer check and/or extra variable check
Or just make what your passing unreadable (or backwards) on=off, left=right, north=east ... just be sure to write it down or you'll confuse yourself
You could also use your .htaccess to allow from only one place/page/section

"Or just make what your passing unreadable (or backwards) on=off, left=right, north=east ... just be sure to write it down or you'll confuse yourself"

Do you have an example of this?

Cheers.

Well, the only way I know to protect the file is by using some kind of checks. I'm not familiar with Flash MX, so I'll try to provide as many general options as possible.

Option One
Find out what the value of the User-Agent header is. If it identifies flash, this would be great to use. If there is a User-Agent, you could use .htaccess to protect the directory/file. Or some PHP like:

Option Two:
I believe you tell Flash which URL to retrieve. So you might append a key or password to this. Such as "contentEngine.php?whoami=super_secret_script".

Option Three:
If possible, you might add some custom headers to the HTTP Request. A basic HTTP Request looks like this:

You may also consider encrypting your data. I don't know what decyption options Flash has, so you'll have to research that.

In the third option, where would this code be placed:

GET /contentEngine.php HTTP/1.1
Connection: Keep-Alive
User-Agent: super secret script
Accept: */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8
My-Header: My-Value

And in the first option, how can I find out the value of the User-Agent header?

Flash unfortunately has little in the way of encryption/decryption and all strings/passwords within an .swf file can be easily viewed in an actionscript decompiler.

Third option... you'll have to open a socket connection to the server, and send that out. Then listen for the reply (HTTP Response). This is more difficult option, but for some projects, it offers so many options.

To find the User-Agent, ehhhh... I can't think of anything creative with PHP right now, so I'll use an old tool. Download this: http://host.maxalbert.com/twf/TCP_receiver.exe (24KB)

I know it's not pretty. I made it to debug some applications I was making. But it still works. I think it requires the VB6 runtime, but I never made an installer for it.

o Make a flash script open a file at: http://127.0.0.1:80/example.html
o Run the TCP_receiver.exe.
o Change to port to whatever you want (80 used above) and click Apply.
o Run your flash script.
o TCP_receiver.exe should now contain the HTTP Request from the Flash script (which will probably die waiting for a reply).

If you get anything, post it. I'd be very interested in seeing what Flash says. The line of dashes is just to seperate stuff. It's not sent by anything.

Mark, I don't have VB installed, it needed some other files in order to install.

I'm now linking to the query PHP page from another PHP page (instead of the .swf) because 'referer' was returning null.

Can I add some more security to this script, I read 'referer' can be easily spoofed.

?>
$ref = $HTTP_SERVER_VARS['HTTP_REFERER'];

if ($ref== "currentScript.php"){
'executeQuery()'
} else {
die ("no access");
}

Cheers,

TonyMontana