Hi guys.

I'm having problems with some dumb user who created a dumb program after decompiling my flash banner and accessing the php files that contains useful information.

I have 1 site which claims the swf from another one, and this second site contains the php files. These php are only stats and things like that, but the user does a massive refreshing and it ****s up the second server(when the program is used by a large ammount of people).

Wanted to ask if there's some way to retrieve data from the swf into the php file so I could identify it as the original swf file and not another one and then I could only show the information if it is the original one.

I'm lost :eek:

Thanks in advance.

i think u should use _root._url to check if the movie is loaded from your site. i haven't tested it but i think it will work. then edit the php scripts so that the value of _root._url is sent to it by POST before sending the data back to the swf. or you can just block his IP.

Sounds to me like the problem he's having is that he wants his PHP pages to ONLY serve up data to his own swf files. The PHP files have no access to the _root._url property of any SWF file that may come asking for data. In fact, they must rely on the SWF file to report information about itself.

I am not sure either approach would work, but I can think of a couple:
1) Remodel your SWF file on the first site to request NOT a php file but instead an SWF file from your second site. Delegate the task of querying your php files to this 2nd flash movie. The other guy might be able to figure that out.

2) Have your PHP files check the value of these superglobals and make sure they correspond to ONLY YOUR FILE:
$_SERVER['HTTP_REFERER']
$_SERVER['REMOTE_ADDR']
$_SERVER['REMOTE_HOST']

Beyond that, I'm not sure what to tell you. As long as he can decompile your SWF files, he can figure out whatever secret handshake you might concoct to identify your file. That means you need a secret handshake that keeps changing or that checks some value he simply cannot spoof.

Oh, thanks guys, I think what sneakyimp said should work fine, we will try and tell the results as soon as I can.

i know php can't read the _root._url from flash.


then edit the php scripts so that the value of _root._url is sent to it by POST before sending the data back to the swf.

the _root._url is sent to the php script by post. then php checks to make sure it didn't come from some other domain then sends databack to the swf.

evdog's idea sounds pretty good. it is possible to 'spoof' both _root._url AND one's IP address or domain, but it definitely makes it harder for the hacker if you are checking them against each other.