Hi,
MD5 is one way encryption - you can't un-encrypt it, but you can use
it to send a hashed version of your variables between Flash and server,
then you compare hashed variable with one you hash:
<?php
//OT...
if(isset($_POST['hash']) {
//Don't just trust your input like this, you should check it
further earlier or later for dodgy variables / strings / slashes, etc...
$user = isset($_POST['user']) ? $_POST['user'] : NULL;
$ip= isset($_SERVER['REMOTE_ADDR']) ? $_SERVER['REMOTE_ADDR'] :
NULL;
$today= isset($_POST['date']) ? $_POST['date'] : NULL;
if(NULL == $user || NULL == $ip || NULL == $today) {
exit();
}
$posted_hash = $_POST['hash'];
$hash = md5($user .$ip .$today);
if($hash == $posted_hash) {
//variables have not been tampered with - do something...
}
} else {
//user has requested hash for today, send it using "LoadVars"
style - they will post it back next time...
echo "hash=" .md5("jimbo" .$_SERVER['REMOTE_ADDR'] .date("d/m/Y"));
}
?>
Jobe Makar did a nice example of securing a "scoreboard" app in
Flash / ASP in the Flash MX Game Design Demystified.
It used XML - which is a bit rubbish in PHP if you have not got it
compiled into your PHP interpreter, check with phpinfo() - the XML
scores / user / login stuff was encrypted with a simple rotation
encryption and decrypted in the same way in Flash. If you have his book
or can find the example, then it's worth looking at.
This discussion which probably covers what you are looking at:
http://forums.whirlpool.net.au/forum-replies-archive.cfm/592747.html
You may be better off using sessions or making people log-in and
having 1 vote per picture per user.
Hope this starts you off in the right direction.
Glen
Adrian Ionut Beschea wrote:
with your flash, in your swf you can send an encrypted key together with the vote
say you send a string like:
str = MD5.encrypt("userID"+todayDate+someOtherStuff);
and then decode it in PHP
There are MD5 classes for both actionscript and php.
This is not 100% proof. Once the evil doer decompiles the swf he might figure what to send but if you obfuscate the code and maybe throw some misleading lines (eg userId stand in fact for date and date stands for user id) it might do the trick.
Thomas Nordahl <[EMAIL PROTECTED]> wrote: I got an flash that loads images posted by users, and then anyone can
vote for their favorite, but the problem is that
some people have made an bot running from an proxy to update the php
vote-string, wich means I cant trace their ip and
then narrow it down to one vote per picture per ip.
is there anyway I can make shure the vote is comeing from the swf,
and that in a way that cant be traced so there can be made a new bot?
does anyone here have an solution to my problem?
Best Regards
Thomas Nordahl
_______________________________________________
Flashcoders@chattyfig.figleaf.com
To change your subscription options or search the archive:
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
Brought to you by Fig Leaf Software
Premier Authorized Adobe Consulting and Training
http://www.figleaf.com
http://training.figleaf.com
---------------------------------
Yahoo! oneSearch: Finally, mobile search that gives answers, not web links.
_______________________________________________
Flashcoders@chattyfig.figleaf.com
To change your subscription options or search the archive:
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
Brought to you by Fig Leaf Software
Premier Authorized Adobe Consulting and Training
http://www.figleaf.com
http://training.figleaf.com
_______________________________________________
Flashcoders@chattyfig.figleaf.com
To change your subscription options or search the archive:
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
Brought to you by Fig Leaf Software
Premier Authorized Adobe Consulting and Training
http://www.figleaf.com
http://training.figleaf.com
