Security Concerns with having sql queries in swf files

[EmperorIQ]

I have swf where I communicate to the database via php. A sql query is passed to the php file, and the php file makes a call to the database with the query.

What are the security concerns with having sql queries in your swf file? I've been searching for a while and all I have found are ways on communicating to the database with flex. I have yet to find anything with respect to having sql queries coded in your swf. I'm just a bit worried as swf files can be decompiled and people can see the code.

Thanks!

 

[EmperorIQ]

bump?

 

[troytime]

i haven't touched flash in 10 years, but my guess would be the same as yours - swf files can be downloaded. if someone can see the query, it can give them information that they're not supposed to have

keep the query in a php file

 

[GeekDrew]

I know nothing about swf, but if they can be decompiled, and your PHP script is just passing the query to the db server, wouldn't that then allow an attacker to execute any arbitrary query against the database?

 

[EmperorIQ]

Hmm... so its probably best to keep the query in the php files, and have the swf just know what php file to call for whatever data it needs.

 

[Ken g6]

You can probably pass a few parameters to the php files as well. Just make sure to sanitize your database inputs.

 

[DaveSimmons]

The SWF is just as insecure as if you were making the call from javascript code running in the browser.

Also assume that anyone who cares can use a packet sniffer to see what PHP page is being called and what parameters are being passed to it. After that, they can easily make a request directly to the PHP page without using your SWF.

You might want to pass something like "1" or "2" (for query type #1, type #2) + any flags/parameters instead of raw SQL, and have the PHP page build the query from that.

lookup.php ? qtype=1 & id=(user ID) >> returns list of orders

lookup.php ? qtype=3 & id=(user ID) & oud=(order-id) >> returns tracking for order (order-id)

This can be even stonger than sanitizing SQL queries since the queries are hard-coded in the PHP code. You still need to validate each of the CGI variables though since an attacker can try passing unexpected qtypes and IDs.

 

[NiKeFiDO]

Originally posted by: EmperorIQ
Hmm... so its probably best to keep the query in the php files, and have the swf just know what php file to call for whatever data it needs.

Exactly - Only have the Flash pass get or post parameters to your php files which will do the rest of the processing.

You should keep the database name / user / password in a file outside of the WWW / public_html / httpdocs / whatever it is on your server folder (in your php files that is inside of the www folder, you should just be able to do include('../paswords.php');