Comments on: Basics to securing AMFPHP

By: Janes

Janes — Wed, 21 Oct 2009 03:07:10 +0000

CJ, I suppose you have already worked out? To say, it is hard to hide since the Flash application itself is located on a client machine, you can however, get PHP to remotely detect before it generate a unique session id on clients computer.

By: CJ

CJ — Fri, 05 Jun 2009 16:53:25 +0000

I have been testing in the Flash IDE which accesses my gateway.php file over the internet. I would now like to turn off all remote access to gateway.php so that only server located swfs can access the gateway. I assumed that setting PRODUCTION_SERVER to true in gateway.php would accomplish this. After doing this I can still access the gateway.php from the flash IDE which isn’t supposed to be allowed with this flag set to true. Any help would be greatly appreciated.

Thanks

By: AMFPHP - The Flash Remoting Gateway « SilenceIT

AMFPHP - The Flash Remoting Gateway « SilenceIT — Mon, 16 Mar 2009 20:22:23 +0000

[...] http://wadearnold.com/blog/?p=30 [...]

By: Razvan

Razvan — Wed, 18 Feb 2009 15:36:33 +0000

@Figo
Uhm.. i think it doesn`t matter the name of the files.. the swf sources can be decompiled. ? I`m looking for better securing tips.

By: Edwin C. Cheung Blog » Blog Archive » AMFPHP 1.9 Beta

Edwin C. Cheung Blog » Blog Archive » AMFPHP 1.9 Beta — Thu, 29 Jan 2009 15:31:45 +0000

[...] AMFPHP docs AMFPHP 1.9 beta2 from SourceForge Video Tutorial – Intro to AMFPHP 1 (gotoandlearn.com) – Set up and simple email service Video Tutorial – Intro to AMFPHP 2 (gotoandlearn.com) – use mysql to return data AMFPHP Security Basics based on this blog post by Wade Arnold [...]

By: Figo

Figo — Sat, 24 Jan 2009 17:09:27 +0000

These are great tips. Thank you.

How about altering the simple stuff as well?

Wouldn’t renaming the ‘amfphp’ folder as well as ‘gateway.php’ provide just a little bit more peace of mind?

Only your Flash/Flex/AIR app needs to know where the gateway is and what it’s called. For example, you could give “amfphp/gateway.php” path an arbitrary name like “_magikk/nu79fi6Lc5z8PsWsEfCKl3PjvZSwxZFN.php”

Works for me without any hassles

By: passingby

passingby — Fri, 08 Aug 2008 22:31:09 +0000

why do you need to use SSL to secure this?

i guess what i mean is if you were calling a php script directly you would get back all of the data output by the script (e.g. the output isn’t hidden). the only difference is that when using AMFPHP, the output data is encapsulated in AMF format.

so what *specific* data are we hiding in the returned output via the SSL? for a basic mysql select, i wouldn’t think any id / passwords are being sent.

thanks

By: The Flash Blog » AMFPHP Security Basics

The Flash Blog » AMFPHP Security Basics — Wed, 06 Aug 2008 03:33:52 +0000

[...] can take to make it as secure as possible. Most of what I’m going to share was taken from a blog post written by Wade Arnold. One important thing to note right off the bat is that I will be talking [...]

By: Chris Charlton

Chris Charlton — Thu, 17 Jul 2008 21:22:19 +0000

Wade – I can help. I’m on the AMFPHP list, but I know the docs and writing stuff can take time and I’m willing to toss in a couple hours to get something rolling or ironed out.

By: Joshua Ostrom

Joshua Ostrom — Wed, 02 Jul 2008 04:54:04 +0000

Wade,
I posted on a simple approach to using the beforeFilter

Two lines of code…

public function beforeFilter($function_called)
{
$memberName = $function_called.”Roles”;
return (@$this->$memberName) ? Authenticate::isUserInRole($this->$memberName) : true;
}

Anxious to see what approach an ‘insider’ like yourself is taking