Thanks everyone for your help on this.
I was hoping for some ideas but now i have loads of them!
We will look into these replies in more detail in the coming days. Its
interesting to know the different approaches available.
Im starring this!
Clark.
On 11 August 2010 14:57, Imap.gmail.com wrot
Use a token system. Accessing the entry page, preferably by the submission and
validation of a username and password, have the server randomly generate a
token and store it in php (or whatever your server side language is written in)
session variables. For any other data request of any kind, q
Clark Stevenson wrote:
Hi all.
I am new to AMFPHP. Lets say you have a class and a function:
SomeClass.saveHighScore(304958);
For me, the way i see it, is that anyone using Charles can call this
method? Whats to stop anyone from calling it directly?
SomeClass.saveHighScore(20394948548438484).
You shouldn't send sensitive data to begin with, you need to calculate it on
server and call saveHighScore() without parameters, so only server will know
what the score was. No matter what your client technology is, the client
cannot be trusted.
ple types, untyped VOs or typed
VOs makes any difference from security point of view.
Mit freundlichem Gruß,
Zoli
From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On
Behalf Of Patrick Mineault
Sent: Thursday, January 18, 2007 6:29 PM
To: flexcoders@yah
Wouldn't Fluorine and OpenAMF throw a type-coercion error, given that
the first argument is typed? Of course, the code in the constructor
would be called anyways.
Patrick
Zoltan Csibi a écrit :
>
> Hi,
>
> I would like to underline that somebody with good AMF knowledge can
> craft strongly t
Hi,
I would like to underline that somebody with good AMF knowledge can craft
strongly typed objects and send them to the server-side. If the "deleteUser"
doesn't require authentication and authorization it can be hacked in any
language.
function deleteUser($userVO)
{
$userVO->delete();
}
We
Thanks for the detailed reply. You might think about posting that to
your blog since I have seen very little discussion about VO's in PHP
and whether to use them or not. i think you have valuable insight..
(I've seen people send SQL over the
wire, unencrypted, and unsecured)
Sadly, in my f
I think you are being very reasonable here when considering VOs, as a
lot of people tend to use them blindly, esp. people coming from Java
backgrounds. A thing I hear very often is "with VOs you can be sure what
data you receive", which is true in a typed language, but in a dynamic
language, th
On Jan 17, 2007, at 10:27 AM, Patrick Mineault wrote:
So you either have to make sure you do receive the VO type
you expect, using instanceof or is_a, or you should only use "dumb"
VOs
which don't have any methods.
I think that this is an important point, so I want to make sure I
underst
lock down security.
Those were my thoughts anyway... :)
-Original Message-
From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On
Behalf Of Kevin
Sent: Tuesday, January 16, 2007 11:09 PM
To: flexcoders@yahoogroups.com
Subject: [flexcoders] AMFPHP & Security
Is there
Amfphp is not inherently less secure than FDS. Anybody who wants to can
spoof requests to FDS or amfphp, just like they can for HTTP POST. As a
side-note, users don't have to bother to decompile your SWF; they can
just sniff packets coming in or out of your movie using ServiceCapture
or Charles
Is there any good information available on how to properly secure
AMFPHP/Flex. It seems like a simple decompile of the swf file can
expose a wealth of information which could allow a hacker to easily
connect to the gateway and call any number of methods. Is there any
information on availa
13 matches
Mail list logo