That is certainly a very important point, and I definitely need to make a note about it on the documentation. Even though this is only a library intended to be part of a complete application with separate elements taking care of other responsibilities, the security problems of such an approach need to be clear for the user. First of all, for most of the applications that I have made, I create two separate MySQL users, one for the normal visitor to the website with limited rights, usually only SELECT for most tables and, when needed, INSERT and UPDATE on a scratch table. In the last case I modify the gateway to avoid queries like UPDATEs without valid WHERE conditions, which is easy enough to do. Additionally, for administration purposes, there is a second MySQL user with the needed rights only accessible through a secure connection on a closed area of the website. I must note that I take these precautions not only for this library but for all public web applications. Now in order to be able to use this library on all applications, and in a lot of other applications where you modify a database from a flash app, what would be very cool, is if you could verify that the information sent through a standard POST query actually comes from the intended swf file. What I am working right now is way doing this verification by the way of a hash function. This way the SQL query sent, or any other communication between flash and my php scripts, is checked against an additional hash encoded string. Unfortunately, I am afraid the code for this hash function will not end open source. Still I think that if the developer is aware of the inherent security problems of the approach I am using, and takes the necessary precautions, this library is a very useful starting point to develop many flash applications.
_______________________________________________ osflash mailing list [email protected] http://osflash.org/mailman/listinfo/osflash_osflash.org
