Newgrounds.com — Everything, By Everyone.

Has anyone here had experience with Flash and Database interaction? If so, how did it turn out? What did you use(PHP, .net...)? And what DB (mySQL, Oracle, MSSQL...)?

I ask this because from what I have read its a bit of a pain, but I would like to know if its worth the trouble from someone who has tried it. I am thinking about adding database functionality to my site: GreenKube

It's worth it if you want to do high scores or save user's stats like say, http://www.afro-ninja.com with the high scores tables. And yes, you would need PHP, MySQL and XML.

I use a LOT of Flash/PHP/database interaction.

My server side language is PHP, and my database is MySQL, and my card is American Express (I had to do that).

Anyway, I recently had a Flash game that was triggering a PHP script about 30 times per second, and it still ran smoothly. As long as you have a decent server, it should be fine for a good amount of users.

If you think there's any chance of your Flash calling the PHP script 30 times per second or so, a virtual dedicated server would probably suit you much better.

Thanks for your replies, I really appreciate it. I am not really looking for anything keeping stats for a game, but leaning more towards user accounts, BBS', possible dynamic user profiles or something of that nature. So one of my biggest concerns is security? I actually emailed Tom about this a while back, and he replied saying that security is the biggest problem with Flash Database interaction, but I was not really sure were the security fault lies. Anyone have any ideas? I wouldn't think it would be any less secure than PHP or .net, given your programming practices are secure in themselves.

At 11/7/06 10:58 PM, greenkube wrote: Anyone have any ideas? I wouldn't think it would be any less secure than PHP or .net, given your programming practices are secure in themselves.

the danger comes from the fact that you can decompile the swf, find out where the data is coming from, going to, and how to format your data. its all sent with get/post headers, so they can be easily faked. its very difficult to be secure, since there is no REAL way to ensure that the data coming to the PHP file is INDEED from the swf.

and to jessii... you dont need XML. the simplest form of swf->php->mysql interaction requires knowledge of ONLY those things.

At 11/7/06 10:58 PM, greenkube wrote: Anyone have any ideas? I wouldn't think it would be any less secure than PHP or .net, given your programming practices are secure in themselves.

OK, let me explain. The only time security becomes a factor when communicating between Flash and a server side language like PHP or ASP.NET is when you are sending information, such as scores between Flash and the server. The reason is .swfs can be decompiled and anyone can just send data that wasn't generated by your Flash to the server, and the server doesn't know the differences. So, if you were doing high scores, if I get the URL you are posting to, I could just post a fake value to that URL.

With user profiles, there should not be any security problems. The reason is that the server does all the work, and you're just using Flash to show it, so no false data can be sent to the server.

Security risk with Flash and PHP only occurs when the data being sent by Flash to the server should only be able to be produced by performing a specific task in the Flash, being that the data can be transmitted by bypassing the Flash file and going straight to the server.

With user profiles, there should not be any security problems. The reason is that the server does all the work, and you're just using Flash to show it, so no false data can be sent to the server.

Security risk with Flash and PHP only occurs when the data being sent by Flash to the server should only be able to be produced by performing a specific task in the Flash, being that the data can be transmitted by bypassing the Flash file and going straight to the server.

So essentially if I created a Flash based create user section, it wouldn't matter security wise due to the fact that creating an account is accessible to everyone, but retrieving data can only be done through the correct credentials which only a valid user can provide so the server returned data is all good. But unless you check the credentials for every data pull, wouldnt you still be able to hack it with a dcompiled Flash?

At 11/7/06 11:07 PM, greenkube wrote: So essentially if I created a Flash based create user section, it wouldn't matter security wise due to the fact that creating an account is accessible to everyone, but retrieving data can only be done through the correct credentials which only a valid user can provide so the server returned data is all good. But unless you check the credentials for every data pull, wouldnt you still be able to hack it with a dcompiled Flash?

Right. You would probably want to check data every time the server is contacted by the Flash, but that's really easy and shouldn't be a problem.

At 11/7/06 11:11 PM, DFox wrote:

At 11/7/06 11:07 PM, greenkube wrote: So essentially if I created a Flash based create user section, it wouldn't matter security wise due to the fact that creating an account is accessible to everyone, but retrieving data can only be done through the correct credentials which only a valid user can provide so the server returned data is all good. But unless you check the credentials for every data pull, wouldnt you still be able to hack it with a dcompiled Flash?

Right. You would probably want to check data every time the server is contacted by the Flash, but that's really easy and shouldn't be a problem.

True, its just one more thing to check if I ever get into a complicated query, but all of this has been very helpful. I think I will go ahead and try to make something out of my site using php. Thank you so much for you help.

I want to hiligth that even if the flash part is safe, the php part may have any normal php security flaw, like xss or sql injection vulnerbilitys.

And in case you did not realise, the sessions in php can still be used, after all, for php flash is merly a form.

And if you are doing realtime comunication, http is the wrong protocol, since it is request based, not realtime.

At 11/8/06 02:59 AM, Afro-Ninja wrote: As jess mentioned I use flash/php to do my highscores tables. The data is encrypted inside of flash and sent to the server, where it is decrypted php side with a key. The key is in flash as well but the flash file itself is encrypted with swfencrypt, which obsfucates all the variables and coding anyway.

I'm sure it's possible to reverse it, but it'd be damn hard. But you only need that kinda security for a highscores table, otherwise people can capture the packets with a sniffer and change them to whatever they want. If you're just sending user data it shouldn't be a problem...

But based on that, wouldn't I need to encrypt items like passwords before flash sent data to the server, otherwise these passwords could be picked up by a sniffer?

Yes, a sniffer could pick them up but the only sniffer that could get it would be a sniffer on the user's own computer, and they already know their own password. Someone would either have to find some way to break into your server and install some kind of incoming packet sniffer or place one on another user's computer. And that's their own fault.

Ok that makes more sense. Well then my mission is clear. I am going to try and set up a simple login system, maybe have news or simple profiles for users and go from there. Thank you very much for all of your help.

Woried about sniffing? Use ssl encrypted http connections.