Hello world:
I have a quick question.
to protect some php file i'm sending a variable from flash to php and yes i can exit the script if there is no variable send.

<?php
if(!$_POST['jaja']){
echo "hello world...";
exit;
}
//bleble blabla;


?>

But i think that it's not the best way to do this.. looks so easy to hack... am I right?

security is not the same as hiding things nor is it the same as illusion of security.

If you are trying to secure something, then make someone log in. Otherwise, it is kind of pointless.

Well... Yes and no...
Yes, it will be harder to crack that routine if I don't know what the SWF is sending out to PHP especially when I don't know of your logic in PHP that decides whether it is right access or not...

But if I decompile the SWF and sniff the traffic to the server, I'll probably notice that you programmed so that the SWF will send out jaja variable, and I'll probably add the same variable when I try out the PHP script to see if I can hack it... So, it is sorta obvious one you have right there even if I don't know your PHP logic... Know what I mean???

The culprit of all this is that anybody with the right tool can see what your ActionScript is and what variables you are sending to the server, and it is not that easy thing to deal with when you are exposed that much...

mmmmmmmhhhh... i also think that this is pointles but now i have a crazy client that want's everything secured... And i'm not a security master.
So now what i think is that something like this would work to stop all the small hackers:

var result_lv:LoadVars = new LoadVars();
result_lv.onLoad = function(success:Boolean) {
if (success) {
_newPath = result_lv.newPath;
loadingInfo(_newPath)
} else {
getURL(result_lv.newPath, "_self");
}
};
var send_lv:LoadVars = new LoadVars();
send_lv.jaja = "pepe";
send_lv.sendAndLoad("test1.php",result_lv,"POST");

function loadingInfo(what) {
var result_lv:LoadVars = new LoadVars();
result_lv.onLoad = function(success:Boolean) {
if (success) {
obj= result_lv.aNewXMLwillReturnAndCreatedOnTheFly;
}
};
var send_lv:LoadVars = new LoadVars();
send_lv.theNewVar=what
send_lv.sendAndLoad(what+".php",result_lv,"POST");


and test1.php

<?php

$ppp=$_POST["pass"];

$qqq="this is the password";


if($qqq==$ppp) {
echo "&newPath=somefolder/other&";
} else {
echo "&newPath=http://www.yahoo.com/&";
}

?>


then when if the password is ok the test2.php will run.

<?php
if(!$_POST['theNewVar']){
echo "hello world...";
exit;
}
//and this creates an XML file also depending on the 'theNewVar';


?>


but if someone decompiles the swf he can see wich php files i'm calling so he can download all the phps and stole all the information...
So i think that the problem is more on the way the user logs in...
maybe i can prevent the php download if i change the file properties to 111 but i'm not sure if the php will run (and looks like now i have some problems with my FTP program and i can't change the properties to test this-)

Well... You cannot download the PHP from the web server unless you have the server wide open without installing the PHP... and what you have will be providing you bare minimal security for what your client is asking for... ;)

Well... Yes and no...

Know what I mean???
...
Yes i understand and that's why i know that i'm wrong. Decompling the SWF will give full access to the PHPs and passwords.
the first php is easy to hack but the second php creates some XML files that will be harder to get... i really don't care if the user has access to the secured seccions if they see the information inside the SWF but what i don't what to show is the XML files createds and returned from the PHP.
for example now this php is setle up to run only in the SWF... free access. but not in browser
http://www.pepemagana.com/prueba/trial/test1.php
also if you download the php you will not get the XML path (i think).

Well... You cannot download the PHP from the web server unless you have the server wide open without installing the PHP... and what you have will be providing you bare minimal security for what your client is asking for... ;)
we can download all the PHP with tools like getRight. Right?
installing the script will prevent this?
also my theory is to change the file properties to 111 or 311...

what are you trying to secure?

If I need something secure I always use cookies. Securing an swf is rather pointless because it can be downloaded and decompiled. I leave those (fairly) open in my admin panels, but nothting happens backend unless the cookie is set. And the cookie doesn't get set without user/pass.

I am somewhat confused, but I don't think you can download the PHP file with the download agent like getRight... You can use such program and what it will do is to get the HTML output from the PHP file and save it as PHP file... Can you test and verify it for me??? ;)

what are you trying to secure?
If I need something secure I always use cookies. Securing an swf is rather pointless because it can be downloaded and decompiled. I leave those (fairly) open in my admin panels, but nothting happens backend unless the cookie is set. And the cookie doesn't get set without user/pass.
FG... looks like my level of knowledge is kind of low, and cookies and other ways to log in are unknown subjects.
Now what I'm trying to secure are images and videos. I know that I can't prevent from printing the screen but at least the high resolution images can’t be found.
The client ask me to build a fill form to request access to 'secured portfolios', then when request has been post company will receive the mail and automatically the user will receive the password to access.
The password will be inputted in the SWF this swf will pass to PHP then the PHP will return more information this new information will be passing to another PHP that will create some XML files and this php will return a temporary XML string that will be the location of the temporary created XML files.
Maybe it’s not the best way to solve the security issue but now it’s what I can to do.

I am somewhat confused, but I don't think you can download the PHP file with the download agent like getRight... You can use such program and what it will do is to get the HTML output from the PHP file and save it as PHP file... Can you test and verify it for me??? ;)
Ok, now I have been testing and PHP files can’t be downloaded… I can’t remember who told me that.

____
Now at least also if I decompile the SWF I will not be able to catch the final information. Maybe with some kind of PHP injection I would be able to get all but that’s another subject that I still don’t understand very well.
I showed the secured version to my client and I Explained to him all the points (bad and goods) and he is satisfied.
So I think that for this time this method will be ok, but I know I need to learn another more secured way to solve this.
Thanks

I know that I can't prevent from printing the screen but ....
Not true: http://actionscript.org/forums/showthread.php3?t=78516&highlight=prevent+screen+print

Wow.... thanks... that's perfect :D