I have a SWF which loads a php script. The php script then passes data back as XML to the SWF. The problem here, however is that if someone decompiles my SWF, he can get the URLs to the php scripts. This results in him being able to run the script and get the XML output.
Now, I have worked out a couple of solutions to this problem:
1. Mark flash pass an extra variable to the script to determine that the call is from flash. Problem: by decompiling and looking through the code in the swf, the user can find out the extra parameter and pass it to the script.
2. Use the referer variable and determine if the referer is the SWF. Problem: There might be users with security software that blocks the referer, thus the script will not work on their system.
3. Use sessions and check if a session exists when executing the script. Problem: Not entirely sure about this, but if a user decompiles the SWF, then he can find the url to the script that sets the session. He then sets a session before executing the script which passes the XML data back.
Any better solutions or input appreciated