Be a Supporter!

JSON to swf and from swf to php?

  • 783 Views
  • 15 Replies
New Topic Respond to this Topic
kaiser-d
kaiser-d
  • Member since: Sep. 17, 2005
  • Offline.
Forum Stats
Member
Level 13
Blank Slate
JSON to swf and from swf to php? Aug. 20th, 2012 @ 09:06 PM Reply

So I've been trying for a while now to figure out a reliable way to get data from a database to a swf and back. Originally I was using xml with php but this seemed kind of clunky. I've been using JSON quite a bit in web development lately, and can already handle it fine with both php and javascript. However I am pretty buggered about how to get this passed to flash effectively, or vice versa. I would like to be able to do this so I can incorporate flash into a database driven game and not have to do it all in Canvas/javascript. Can anyone give me any pointers on how to go about this? Specifics would be much appreciated, I've already been lurking at stackoverflow.com and noticed a few posts pointing out flash libraries, but I am a bit lost in the actual technique. I would like to do this with $_POST if possible to incorporate it into AJAX functions. Thanks in advance.


FB | Blog
If you ever wondered who to blame for your problems, find a mirror.

BBS Signature
kaiser-d
kaiser-d
  • Member since: Sep. 17, 2005
  • Offline.
Forum Stats
Member
Level 13
Blank Slate
Response to JSON to swf and from swf to php? Aug. 20th, 2012 @ 09:09 PM Reply

I should mention that also that I am using PHP 5.4.4 and Flash CS5, and would prefer a solution in AS3 if possible, if this is relevant.


FB | Blog
If you ever wondered who to blame for your problems, find a mirror.

BBS Signature
egg82
egg82
  • Member since: Jun. 24, 2006
  • Offline.
Forum Stats
Member
Level 05
Game Developer
Response to JSON to swf and from swf to php? Aug. 21st, 2012 @ 01:23 AM Reply

Flash -> PHP -> MySQL -> PHP -> Flash

Just please, please, please make sure everything is handled server-side so you don't end up with hacked clients that actually work.

I started on an API to do this, but got stuck around the Flash -> PHP encryption (Rijndael was different) - i'll get it finished at some point, but since I don't actually need it right now it's not very high up on the to-do. Everything works except the public/external encryption.

Anyway, all you have to do is use PHP's $_GET[] global variable and Flash's URLLoader class. As long as you know how to make PHP and MySQL work (it's easy, there's two different classes for it so just pick one) then you've got it made.

Just remember that the URLLoader class expects special input. I go with the
variable1=string1&variable2=string2&variable3=string3
method, but it's all preference.


Programming stuffs (tutorials and extras)
PM me (instead of MintPaw) if you're confuzzled.
thank Skaren for the sig :P

BBS Signature
kaiser-d
kaiser-d
  • Member since: Sep. 17, 2005
  • Offline.
Forum Stats
Member
Level 13
Blank Slate
Response to JSON to swf and from swf to php? Aug. 21st, 2012 @ 02:48 AM Reply

I get how to do the mysql and php thing. I'm actually better with those than I am with AS3. I have a database on my webserver which is largely managed by Perl/Ruby scripts, and a couple of pages in php that I want to integrate flash into. I would like to use POST because I do not want the data encoded in the URL for security reasons. I have other page elements written in html/javascript that handle variables that do not need to be secured, but I need to securely pass info to and from the flash elements without the URL encoding that results from using the GET method if that is possible. Essentially for the project in question the workflow works thusly:

1) php extracts data from mysql, converts to json
2) non-critical json passed to javascript, inserted into page elements via innerhtml
3) ??? flash needs to accept json and initialize things based on what is handed to it from php
4) flash handles graphic intensive processes, sends variables via json to update other page elements
5) ??? upon completion of task, data is posted from flash, handled again by php, and updated to database
6) new instance is called after updating and process repeats

That's pretty much how this project needs to work. That way the only info floating around where anyone could hack it is not critical to the overall system. What is posted back to the database is not user generated, it is the result of interaction with the flash elements and not directly user editable. The reason I don't want to use GET is because I do not want to be displaying plainly what my query/variable structure looks like. I suppose someone could decompile the swf if they were really determined and figure out part of it, but they aren't going to get what is going on server-side from that, only what is being passed to the server from the swf and vice versa. I would also like very much if people could not submit javascript inside the URL to hack my program, which is possible with the GET method. I am using an htaccess file to lock the php directory also, so it can only be accessed by the things that are supposed to access it.


FB | Blog
If you ever wondered who to blame for your problems, find a mirror.

BBS Signature
milchreis
milchreis
  • Member since: Jan. 11, 2008
  • Offline.
Forum Stats
Member
Level 26
Programmer
Response to JSON to swf and from swf to php? Aug. 21st, 2012 @ 05:03 AM Reply

At 8/21/12 02:48 AM, kaiser-d wrote: I would like to use POST because I do not want the data encoded in the URL for security reasons.

How is GET less secure than POST?

The reason I don't want to use GET is because I do not want to be displaying plainly what my query/variable structure looks like.

GET and POST both expose their data in the actual network communication

What is posted back to the database is not user generated, it is the result of interaction with the flash elements and not directly user editable.

It is client side, which means in terms of security: it is user editable.
Consider your flash source code exposed the same way as Javascript.

egg82
egg82
  • Member since: Jun. 24, 2006
  • Offline.
Forum Stats
Member
Level 05
Game Developer
Response to JSON to swf and from swf to php? Aug. 21st, 2012 @ 07:21 AM Reply

At 8/21/12 02:48 AM, kaiser-d wrote: I get how to do the mysql and php thing. I'm actually better with those than I am with AS3. I have a database on my webserver which is largely managed by Perl/Ruby scripts, and a couple of pages in php that I want to integrate flash into. I would like to use POST because I do not want the data encoded in the URL for security reasons. I have other page elements written in html/javascript that handle variables that do not need to be secured, but I need to securely pass info to and from the flash elements without the URL encoding that results from using the GET method if that is possible. Essentially for the project in question the workflow works thusly:

1) php extracts data from mysql, converts to json
2) non-critical json passed to javascript, inserted into page elements via innerhtml
3) ??? flash needs to accept json and initialize things based on what is handed to it from php
4) flash handles graphic intensive processes, sends variables via json to update other page elements
5) ??? upon completion of task, data is posted from flash, handled again by php, and updated to database
6) new instance is called after updating and process repeats

That's pretty much how this project needs to work. That way the only info floating around where anyone could hack it is not critical to the overall system. What is posted back to the database is not user generated, it is the result of interaction with the flash elements and not directly user editable. The reason I don't want to use GET is because I do not want to be displaying plainly what my query/variable structure looks like. I suppose someone could decompile the swf if they were really determined and figure out part of it, but they aren't going to get what is going on server-side from that, only what is being passed to the server from the swf and vice versa. I would also like very much if people could not submit javascript inside the URL to hack my program, which is possible with the GET method. I am using an htaccess file to lock the php directory also, so it can only be accessed by the things that are supposed to access it.

ahh, it seems you don't quite understand how all of that works. It's fine, not a whole lot of flash programmers do (it's not like it's actually useful to flash 99% of the time)

The difference between GET and POST:
The difference is that GET variables are visible (and taken from) the URL directly, while POST is more hidden.

What does this mean?
This is the fun part.
Say you have a "vote" button that takes a user's username and hashed password as variables. You could use a POST request and GET request interchangeably.
Now say that you wanted the user to be able to bookmark the "vote" page directly so all they have to do is visit the page to vote. With POST they would have to click the button every time, whereas with GET all they would have to do was bookmark the page and visit it to vote. Why does that work? Because POST is hidden and GET is not.
If you didn't want them to be able to bookmark the page, then use POST.

What does it NOT mean?
"hidden" does not mean "secure" by any stretch of the imagination. GET and POST requests are both equally user-writeable.

Let's talk security:
When coding, assume that every single user who uses your script is a malicious hacker with lots of time, energy, and focus to spend on your script. You need to be even more diligent to keep them out. After the script is written and security is in place, then you can go back to your happy land where there is no evil.

The point is that when scripting and including security, assume that everything's out to get you. Yes, it makes you paranoid. Yes, being paranoid is a good thing. After all, the paranoid programmer will have fewer vulnerabilities and thus fewer successful attacks on the script.

Nothing is 100% secure. There is not a single program ever written in the history of the world, and never will be, that is 100% secure. Same thing with locks and any other types of security.

Do not "play" with hackers or think that you can outwit them. Do not think for a second that your script can't be hacked. Do not allow a hacker into your system farther than what you have caught them at if you catch them. You squash anything and everything that tries to get in immediately.

Security is dark and somewhat depressing. You have to let go of all faith in humanity and assume that everyone is this malicious, evil being spawned from Satan. I put a lot of emphasis on this because it needs it. When you're dealing with security, you do NOT play around.

On to the brighter side of things.

PHP -> MySQL ->PHP:
This is the easy part. All you have to do is make sure of two things:
1. Everything going into the database is sanitized to avoid SQL injection.
2. Passwords and private things are encrypted and not in plain text.

Please don't use MD5 and expect that to work. MD5 is great, but can be cracked - use something like an AES-standard Rijndael encryption with a double-hashed 100-character key and a CFB cipher mode on top of your MD5.

Flash -> PHP -> Flash:
This is the hard part. This is where I start getting into public keys and private keys (or at least something similar)

Data sent through HTTP requests are plaintext and can be picked up anywhere along the way by something like wireshark or ettercap. HTTPS is more secure, and those programs will just get a load of garbage coming in. Flash's URLLoader supports HTTPS.

If, however, you don't have access to 20 frieking bucks a month for HTTPS support, you devise your own little "load of garbage" like I did. I haven't yet figured out a "garbage collection" system for the public keys, but I think I have an idea on it.

It's actually quite simple once you get the basic concept down. The major thing to keep in mind is that you don't want people seeing what's being passed through. How do you do that? Via encryption!

I added a table to the database that stored public keys attached to an ID (encrypted by the private database key. Yeah. I don't play around.)
When someone connects to the DB for the first time, it will generate a new 10-to-15 character key. The key is just a random string of letters and numbers. After the key is in the database and the ID is pulled from it and any other stuff I want to run is done, I send the unencrypted key and ID to flash. This is the only dangerous part.
After that's done, all I have to to is encrypt all the variables I want to send in the client, send them along with the ID, and decrypt the variables server-side.

As for garbage collection, I think adding a "date and time last used" to each key would be a good idea. You could just tell the server to clear out anything older than x minutes (or x seconds, depending on the program and server load)

The tricky part with this is that the encryption used for the client -> server has to match EXACTLY, or else you'll just get a bunch of garbage.


Programming stuffs (tutorials and extras)
PM me (instead of MintPaw) if you're confuzzled.
thank Skaren for the sig :P

BBS Signature
egg82
egg82
  • Member since: Jun. 24, 2006
  • Offline.
Forum Stats
Member
Level 05
Game Developer
Response to JSON to swf and from swf to php? Aug. 21st, 2012 @ 08:51 AM Reply

At 8/21/12 07:21 AM, egg82 wrote: use something like an AES-standard Rijndael encryption with a double-hashed 100-character key and a CFB cipher mode on top of your MD5.

use something like an AES-standard Rijndael 256-bit encryption with a double-hashed 100-character key and a CFB cipher mode on top of your MD5.

fixed.

CTR is also acceptable, but i'm not sure that PHP has support for that.

Why not just use ECB?
Meet Tux
Meet Tux's cousin, ECB Tux
Meet ECB Tux's siblings, every other cipher method out there

I'm looking into HMAC, but it doesn't seem that you actually need it with an AES-standard encryption. Correct me if i'm wrong.


Programming stuffs (tutorials and extras)
PM me (instead of MintPaw) if you're confuzzled.
thank Skaren for the sig :P

BBS Signature
Diki
Diki
  • Member since: Jan. 31, 2004
  • Offline.
Forum Stats
Moderator
Level 13
Programmer
Response to JSON to swf and from swf to php? Aug. 21st, 2012 @ 11:10 AM Reply

At 8/21/12 02:48 AM, kaiser-d wrote: 1) php extracts data from mysql, converts to json
2) non-critical json passed to javascript, inserted into page elements via innerhtml
3) ??? flash needs to accept json and initialize things based on what is handed to it from php

So basically you just need to parse JSON with AS3?
The as3corelib has a JSON parser.

It also has a bunch of other useful things, so it would behoove you to start using it in your projects.

milchreis
milchreis
  • Member since: Jan. 11, 2008
  • Offline.
Forum Stats
Member
Level 26
Programmer
Response to JSON to swf and from swf to php? Aug. 21st, 2012 @ 11:23 AM Reply

At 8/21/12 11:10 AM, Diki wrote: The as3corelib has a JSON parser.

FP 11 has native JSON

Diki
Diki
  • Member since: Jan. 31, 2004
  • Offline.
Forum Stats
Moderator
Level 13
Programmer
Response to JSON to swf and from swf to php? Aug. 21st, 2012 @ 11:31 AM Reply

At 8/21/12 11:23 AM, milchreis wrote: FP 11 has native JSON

Oh, well that's neat.
I haven't been keeping up with Flash Player's development. :)

egg82
egg82
  • Member since: Jun. 24, 2006
  • Offline.
Forum Stats
Member
Level 05
Game Developer
Response to JSON to swf and from swf to php? Aug. 21st, 2012 @ 11:54 AM Reply

At 8/21/12 11:10 AM, Diki wrote: So basically you just need to parse JSON with AS3?
The as3corelib has a JSON parser.

It also has a bunch of other useful things, so it would behoove you to start using it in your projects.

Whoops, my intent wasn't to not give helpful advice (yay, double-negatives)

I meant to put some JSON stuff in there, but I forgot. My main point was that you can skip the whole JSON thing entirely.


Programming stuffs (tutorials and extras)
PM me (instead of MintPaw) if you're confuzzled.
thank Skaren for the sig :P

BBS Signature
23450
23450
  • Member since: May. 28, 2003
  • Offline.
Forum Stats
Supporter
Level 27
Blank Slate
Response to JSON to swf and from swf to php? Aug. 21st, 2012 @ 11:58 AM Reply

Using POST instead of GET is easy enough with flash. Change the URlRequest method property to URLRequestMethod.POST. You then have a URLVariables object which you add your post variables to. Then set the data property of your URLRequest object to your URLVariables object. From there just use the regular old URLloader to send the request. Code looks something like this:

var score:int=10;
var userId:String="gfd8734j93kdsdf";

	var request:URLRequest=new URLRequest("www.postSite.com/postAction.php");
			request.method=URLRequestMethod.POST;

			var variables:URLVariables = new URLVariables();
			variables.score=score;
			variables.userId=userId;

			request.data=variables;
			var loader:URLLoader=new URLLoader(request);
			loader.addEventListener(Event.COMPLETE, onComplete);
		loader.addEventListener(IOErrorEvent.IO_ERROR,onFail);
			loader.dataFormat=URLLoaderDataFormat.TEXT;
			loader.load(request);

In this example, score and userId are the post vairables reqtrieved with $_POST["score"] and $_POST["userId"].


BBS Signature
kaiser-d
kaiser-d
  • Member since: Sep. 17, 2005
  • Offline.
Forum Stats
Member
Level 13
Blank Slate
Response to JSON to swf and from swf to php? Aug. 22nd, 2012 @ 02:16 AM Reply

At 8/21/12 07:21 AM, egg82 wrote: Let's talk security:
The point is that when scripting and including security, assume that everything's out to get you. Yes, it makes you paranoid. Yes, being paranoid is a good thing. After all, the paranoid programmer will have fewer vulnerabilities and thus fewer successful attacks on the script.

You are certainly correct about that. Part of doing this is not leaving to incredibly much info about your standard coding structure floating around. 90% of hacking is social engineering and info research. The more a hacker knows about you personally and your habits, the more likely they are to crack your system. Therefore when asking technical questions it is usually worthwhile to omit any information that is not directly relevant to the question at hand. Please note that I am partially breaking this rule by giving you this response.

PHP -> MySQL ->PHP:
This is the easy part. All you have to do is make sure of two things:
1. Everything going into the database is sanitized to avoid SQL injection.
2. Passwords and private things are encrypted and not in plain text.

I was aware of that. I use stripslashes and real escape string already on every piece of user submitted data transferred to the database, and generally rebuild the string if necessary when extracting it if special characters where required for its purpose. I generally try not to allow as many means of escaping characters from being submitted at all as I can realistically prevent, however there are so many variants that you are never going to catch all of them.

Please don't use MD5 and expect that to work. MD5 is great, but can be cracked - use something like an AES-standard Rijndael encryption with a double-hashed 100-character key and a CFB cipher mode on top of your MD5.

I usually use blowfish encryption. Is Rijmdael more secure? Regardless of encryption, passwords should always be at least 16 character alphanumeric strings with symbols and caps that do not represent words which can be decoded by dictionary attacks. 1337sp34k does not prevent dictionary attacks, use random strings and save your passwords in a safe place as an image file (passworded if possible), because text characters from images are very unlikely to be read by non-human means. Typically I only use md5 for checksums.

Data sent through HTTP requests are plaintext and can be picked up anywhere along the way by something like wireshark or ettercap. HTTPS is more secure, and those programs will just get a load of garbage coming in. Flash's URLLoader supports HTTPS.

My host provides free SSL certificates for my primary domain. I was not aware that URLLoader supported https though.

I added a table to the database that stored public keys attached to an ID (encrypted by the private database key. Yeah. I don't play around.)
When someone connects to the DB for the first time, it will generate a new 10-to-15 character key. The key is just a random string of letters and numbers. After the key is in the database and the ID is pulled from it and any other stuff I want to run is done, I send the unencrypted key and ID to flash. This is the only dangerous part.
After that's done, all I have to to is encrypt all the variables I want to send in the client, send them along with the ID, and decrypt the variables server-side.

You can also specify as InnoDB and create a relational table structure as added security. If your tables are controlled by a strict series of cascading indexes it makes it very hard to inject malicious queries. Doing sql injection is really a lot of feeling in the dark, and the more tightly defined your data needs to be to be accepted by the database, the less likely you are to have successful injection attacks waged against you. Get a (trustworthy) friend who knows sql well to do some penetration testing against your sites to make sure they are secure. You should not do this yourself if you are the one who created the table structure, as you will have a user bias, and also inherent knowledge as to the table structure and your test results will be skewed.

Thank you for taking such an interest in explaining all of this, but I do know most of the php / mysql stuff already, as stated. You did make a few points I had not thought of and I appreciate the time you put into your post. I have been doing web development and server/database administration for quite some time now however, and I omitted most of those details because they were not relevant to the question I had asked. In the specific project I am working on data needs to be passed to about 15 page elements, only two of which are swfs. There are also a number of ajax functions that pull various details and update them at regular intervals. This data is not critical, is not resubmitted to the database, and is calculated mathematically serverside, so altering it would have little effect. The details returned from flash are only a boolean value that shows they have successfully completed the task and a character identifier. Hacking either of these values, though technically possible, would have really no valuable impact for the player and would return an error when passed to the following step. I have a Perl script that accepts the boolean value, assigns the correct results and updates the database based on the result; none of this can be affected by the player to the best of my knowledge. Now that I think about it, it probably would be possible to hack the data sent to apply it to the wrong character, so if someone wanted to set up a zombie network they could assign way too many successful instances to a single character. That is something to consider, but it is outside the scope of this discussion and really going way out on a tangent.


FB | Blog
If you ever wondered who to blame for your problems, find a mirror.

BBS Signature
kaiser-d
kaiser-d
  • Member since: Sep. 17, 2005
  • Offline.
Forum Stats
Member
Level 13
Blank Slate
Response to JSON to swf and from swf to php? Aug. 22nd, 2012 @ 03:09 AM Reply

At 8/21/12 11:58 AM, 23450 wrote: In this example, score and userId are the post vairables reqtrieved with $_POST["score"] and $_POST["userId"].

Thank you, that is exactly what I was looking for.


FB | Blog
If you ever wondered who to blame for your problems, find a mirror.

BBS Signature
kaiser-d
kaiser-d
  • Member since: Sep. 17, 2005
  • Offline.
Forum Stats
Member
Level 13
Blank Slate
Response to JSON to swf and from swf to php? Aug. 22nd, 2012 @ 03:12 AM Reply

At 8/21/12 11:10 AM, Diki wrote:
At 8/21/12 02:48 AM, kaiser-d wrote:
The as3corelib has a JSON parser.
It also has a bunch of other useful things, so it would behoove you to start using it in your projects.

I'll look into that too, thanks.


FB | Blog
If you ever wondered who to blame for your problems, find a mirror.

BBS Signature
egg82
egg82
  • Member since: Jun. 24, 2006
  • Offline.
Forum Stats
Member
Level 05
Game Developer
Response to JSON to swf and from swf to php? Aug. 22nd, 2012 @ 04:44 AM Reply

At 8/22/12 02:16 AM, kaiser-d wrote: I usually use blowfish encryption. Is Rijmdael more secure?

Rijndael*
The AES-standard (which PHP uses) was crowned the most secure encryption method at one point in time. I may be wrong, but I believe it still holds that title today.

also, 10-15 is okay for a temporary public key that's being used to defeat packet sniffers. Hell, you could probably get away with 8 (takes about 5 years to crack with random letters, numbers, and special characters). More than 15 and you're just wasting resources.


Programming stuffs (tutorials and extras)
PM me (instead of MintPaw) if you're confuzzled.
thank Skaren for the sig :P

BBS Signature