• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Security Concerns with having sql queries in swf files

E

EmperorIQ

Platinum Member
I have swf where I communicate to the database via php. A sql query is passed to the php file, and the php file makes a call to the database with the query.

What are the security concerns with having sql queries in your swf file? I've been searching for a while and all I have found are ways on communicating to the database with flex. I have yet to find anything with respect to having sql queries coded in your swf. I'm just a bit worried as swf files can be decompiled and people can see the code.

Thanks!
 
i haven't touched flash in 10 years, but my guess would be the same as yours - swf files can be downloaded. if someone can see the query, it can give them information that they're not supposed to have

keep the query in a php file
 
I know nothing about swf, but if they can be decompiled, and your PHP script is just passing the query to the db server, wouldn't that then allow an attacker to execute any arbitrary query against the database?
 
Hmm... so its probably best to keep the query in the php files, and have the swf just know what php file to call for whatever data it needs.
 
The SWF is just as insecure as if you were making the call from javascript code running in the browser.

Also assume that anyone who cares can use a packet sniffer to see what PHP page is being called and what parameters are being passed to it. After that, they can easily make a request directly to the PHP page without using your SWF.

You might want to pass something like "1" or "2" (for query type #1, type #2) + any flags/parameters instead of raw SQL, and have the PHP page build the query from that.

lookup.php ? qtype=1 & id=(user ID) >> returns list of orders

lookup.php ? qtype=3 & id=(user ID) & oud=(order-id) >> returns tracking for order (order-id)

This can be even stonger than sanitizing SQL queries since the queries are hard-coded in the PHP code. You still need to validate each of the CGI variables though since an attacker can try passing unexpected qtypes and IDs.
 
Originally posted by: EmperorIQ
Hmm... so its probably best to keep the query in the php files, and have the swf just know what php file to call for whatever data it needs.
Click to expand...

Exactly - Only have the Flash pass get or post parameters to your php files which will do the rest of the processing.

You should keep the database name / user / password in a file outside of the WWW / public_html / httpdocs / whatever it is on your server folder (in your php files that is inside of the www folder, you should just be able to do include('../paswords.php');
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top