Re: [flexcoders] AMFPHP Security?

2010-08-12 Thread Clark Stevenson
Thanks everyone for your help on this. I was hoping for some ideas but now i have loads of them! We will look into these replies in more detail in the coming days. Its interesting to know the different approaches available. Im starring this! Clark. On 11 August 2010 14:57, Imap.gmail.com

Re: [flexcoders] AMFPHP Security?

2010-08-11 Thread Oleg Sivokon
You shouldn't send sensitive data to begin with, you need to calculate it on server and call saveHighScore() without parameters, so only server will know what the score was. No matter what your client technology is, the client cannot be trusted.

Re: [flexcoders] AMFPHP Security?

2010-08-11 Thread hamann . w
Clark Stevenson wrote: Hi all. I am new to AMFPHP. Lets say you have a class and a function: SomeClass.saveHighScore(304958); For me, the way i see it, is that anyone using Charles can call this method? Whats to stop anyone from calling it directly?

Re: [flexcoders] AMFPHP Security?

2010-08-11 Thread Imap.gmail.com
Use a token system. Accessing the entry page, preferably by the submission and validation of a username and password, have the server randomly generate a token and store it in php (or whatever your server side language is written in) session variables. For any other data request of any kind,

RE: [flexcoders] AMFPHP Security

2007-01-18 Thread Zoltan Csibi
Hi, I would like to underline that somebody with good AMF knowledge can craft strongly typed objects and send them to the server-side. If the deleteUser doesn't require authentication and authorization it can be hacked in any language. function deleteUser($userVO) { $userVO-delete(); }

Re: [flexcoders] AMFPHP Security

2007-01-18 Thread Patrick Mineault
Wouldn't Fluorine and OpenAMF throw a type-coercion error, given that the first argument is typed? Of course, the code in the constructor would be called anyways. Patrick Zoltan Csibi a écrit : Hi, I would like to underline that somebody with good AMF knowledge can craft strongly typed

RE: [flexcoders] AMFPHP Security

2007-01-18 Thread Zoltan Csibi
security point of view. Mit freundlichem Gruß, Zoli From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of Patrick Mineault Sent: Thursday, January 18, 2007 6:29 PM To: flexcoders@yahoogroups.com Subject: Re: [flexcoders] AMFPHP Security

Re: [flexcoders] AMFPHP Security

2007-01-17 Thread Patrick Mineault
Amfphp is not inherently less secure than FDS. Anybody who wants to can spoof requests to FDS or amfphp, just like they can for HTTP POST. As a side-note, users don't have to bother to decompile your SWF; they can just sniff packets coming in or out of your movie using ServiceCapture or

RE: [flexcoders] AMFPHP Security

2007-01-17 Thread Beverly Guillermo
down security. Those were my thoughts anyway... :) -Original Message- From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Sent: Tuesday, January 16, 2007 11:09 PM To: flexcoders@yahoogroups.com Subject: [flexcoders] AMFPHP Security Is there any good

Re: [flexcoders] AMFPHP Security

2007-01-17 Thread Kevin
On Jan 17, 2007, at 10:27 AM, Patrick Mineault wrote: So you either have to make sure you do receive the VO type you expect, using instanceof or is_a, or you should only use dumb VOs which don't have any methods. I think that this is an important point, so I want to make sure I

Re: [flexcoders] AMFPHP Security

2007-01-17 Thread Patrick Mineault
I think you are being very reasonable here when considering VOs, as a lot of people tend to use them blindly, esp. people coming from Java backgrounds. A thing I hear very often is with VOs you can be sure what data you receive, which is true in a typed language, but in a dynamic language,

Re: [flexcoders] AMFPHP Security

2007-01-17 Thread Kevin
Thanks for the detailed reply. You might think about posting that to your blog since I have seen very little discussion about VO's in PHP and whether to use them or not. i think you have valuable insight.. (I've seen people send SQL over the wire, unencrypted, and unsecured) Sadly, in my

[flexcoders] AMFPHP Security

2007-01-16 Thread Kevin
Is there any good information available on how to properly secure AMFPHP/Flex. It seems like a simple decompile of the swf file can expose a wealth of information which could allow a hacker to easily connect to the gateway and call any number of methods. Is there any information on