Hi there, im trying to figure out what types of security is needed / or can be applied in a Flash>php> MySQL project. Could you guys help me out with this, im kinda confused. Here's what im dealing with:

MD5 found an encryption .AS and it seems to work, but PHP has this built in, my question;Which should i use, PHP or Flash version, and why?

regular expressions not sure if this is the term, but what i mean is that you dont allow certain characters like " ' < > $ etc when storing in database. How could you best protect against this, via flash or php?
And what characters could cause problems.
(i can imagine if someone knows what php-file is used, and the security is all in flash you still have a problem)

What other types of securtiy could you recommend?



:cap: hope somebody can help me with this, Thanks

Howdy... :)

I don't know much about the MD5 and whatnots, but I think you should implement it in Flash and send out an encrypted string to PHp so that PHP can decrypt it before saving the data to the database...

As for those symbols... I think you can use this...

htmlentities(urlencode($_POST['yourContentFromFlash']))

First, MD5 is a hashing function, not a reversible encryption. If you need to decrypt it later, you don't want to be using MD5. The standard use of MD5 is to hash a string, for verification later. That is:



$cleartextpassword = "test";
$encryptedpassword = md5($cleartextpassword);
$newpassword = $_POST['passwd'];
if(md5($newpassword) == $encryptedpassword) {
// Authorization successful
}
else {
// Authorization failed
}


You can't ever decrypt the string, but you can compare other strings to it to see if they're the same...

As for cleaning out strings for database use, the PHP function mysql_escape_string() does exactly what you want.

Got it... Thank you very much, JustJeff, for the information... :)

Ok, so the mysql_escape_string puts the string in a format that can be stored or used in mySql right? .. but when you get it out, do you have to convert it back?

Also one question still remains, should i use MD5 in flash or at the serverside?
And what characters normally cause problems in php/mysql.. i understand the function you gave fixes this but i want to know just for documentation.
Thanks

Ok new question; how do i prevent people from accessing my php files; so they cant use the php file if it isnt called from MY flash file/website.

Howdy... :)

Why don't you check the domain name of the call to verify if they are coming from the same domain??? Or, have Flash pass some secret value that you only can know???

^^ haha yess thats what im saying, how do i check what domain its send from?

I think the easiest way of doing it would be using the server variable, $_SERVER... Check out the PHP manual for it for more information but this would be something like this...

<?php
echo("\$_SERVER['SERVER_NAME'] = " . $_SERVER['SERVER_NAME']);
?>
http://cyanblue.flashvacuum.com/svr.php
There's gotta be million ways to do this... :)