I decided to split the original blog post into two separate posts as “Secure” Flash/MySQL DB calls is fairly short, and it was scattered about in a post more on how to set up a High Score DB with AMFPHP.
So this will be a couple of very specific tips and things to set up when adding any sort of user-entered data from flash ( or PHP! ) to touch your database. You know the rule… never trust any data. Always make sure you strictly data type variables and typecast user-entered variables.
First up, as the user enters data into Flash, via an input TextField, use the .restrict setter to restrict characters entered to only characters that you need. This is the first layer of protection against SQL injection attacks , and just follows the same sort of common sense “best practices” type of coding as datatyping variables.
[sourcecode lang=”php”]
nameInputTxt.restrict = “A-Z a-z 0-9″;
[/sourcecode]
This will restrict the characters allowed in this textField to only alpha-numeric, capitals and lower case. This excludes potential Injection-prone characters like the single apostrophe ” ‘ ” and semi-colon ” ; ” keys.
After that data gets entered, we’re going to send those variables thru AMFPHP into our PHP Class. In the case of our High Scores Database example, we’re sending both the nameInputTxt data, as well as an integer based score value which gets handled by the following PHP code:
[sourcecode lang=”php”]
function addScore( $pName , $pScore )
{
$created = date( “Y-m-d H:i:s”);
$cleanName = mysql_real_escape_string( $pName );
$cleanScore = intval( $pScore );
return mysql_query( “INSERT INTO $this->table SET `name` = ‘{$cleanName}’ , `score` = $cleanScore , `created` = ‘{$created}’ “);
}
[/sourcecode]
You’ll see the $cleanName and $cleanScore variables a couple of lines into the function. For String type user-entered data, always run it through PHP’s mysql_real_escape_string() function. If somehow a single apostrophe made it this far, PHP will automatically “escape” the apostrophe adding a back-slash before: \’ instead of a dangerous ‘
As far as $pScore goes, we’ll send it thru PHP’s intval() function which will truncate any decimal portions as well as attempt to return an integer value for any data it comes across. This means if something crazy happened and malicious String code made it this far, if intval() could not find the proper integer to represent the data, it will return 0. And submitting a zero, even though it might be wrong, is infinitely better than having DROP TABLE code injected into the call.
That’s it
For More info on securing the actual AMFPHP install and files, check out Lee Brimlow’s Flash Blog post, AMFPHP Security Basics
0 Comments