Php :: Avoiding CSRF When Serving AJAX Or Flash Requests?
Sep 14, 2010
I have a Flash based game for the browser which sends users' scores to a php backend script which stores the score and the user id in the database.
Now I have a url like www.example.com/update.php?score=200&uid=234
The problem is that this is very much exposed to an intelligent user, and he can use this url to store whatever score he wants in the DB. Also there's no real user authentication, and I don't intend to have one either, because it's really a tiny game.
How can I stop someone from calling the above url and updating his score on his own.
View 2 Replies
Similar Posts:
Dec 4, 2009
The main top section of the site is a little Flash thing that has buttons as links to different areas of the site. All of that is well and good, but whenever I click those links, it has to reload the entire page (including the Flash app) when only the bottom part changes. This isn't really a huge issue, since everything's real small, but it's kind of annoying.I vaguely remember "fixing" this behavior using AJAX during my web programming class, but that was just straight HTML and Javascript, no Flash players to muck around with.My question is, how do I overcome having to reload the entire page when someone clicks a link from the Flash object? Is there some nice way I can call something other than getURL() to achieve this effect?
View 2 Replies
Aug 28, 2010
I'm interested if there is some tool (preferably a firefox addon) that allows you to record http requests and view their response header and content.
View 3 Replies
Mar 19, 2010
I want to send AJAX requests to my website from my Flash games to process data, but I don't want people downloading them, decompiling them, then sending fake requests to be processed, so I'm trying to figure out the most secure way to process in the PHP files. My first idea was to use Apache's built in Authorization module to require a username and password to access the pages on a separate subdomain of my website, but then you'd have to include that username and password in the AJAX request anyway so that seems kind of pointless to even try.My current option looks pretty promising but I want to make sure it will work. Basically it just checks the IP address being sent using REMOTE_ADDR to make sure it's the IP address that my server runs on.
<?
$allowed = new Array("64.120.211.89", "64.120.211.90");
if (!in_array($_SERVER['REMOTE_ADDR'], $allowed)) header("HTTP/1.1 403 Forbidden");
?>
Both of those IP addresses point to my server. Things I'm worried about:
1) If I send a request from Flash/ActionScript, will that affect the IP address in any way?
2) Is it possible for malicious users to change the IP address that is being sent with REMOTE_ADDR to one of my IP addresses?
View 3 Replies
Jul 19, 2011
In terms of HTTP request performance should I pick AJAX or Flash? To be more specific, I'm more into Flash than AJAX and I'm currently working on a wide scale web project. I wanted to try AJAX out for once and now it's getting too messy for me. Before it gets more complicated I thought may be I can run Flash on the background for HTTP Requests and use it with javascript. I couldn't find any benchmark on the Internet, but I think AJAX is faster than Flash. So what's your personal experience? Is there too much difference between Flash and AJAX?
View 4 Replies
Feb 21, 2011
I have problems with facebook application based on flash which communicate with PHP using FBJS-bridge.When someone use the application for the first time, he/she is asked for various permissions. After that, flash contact PHP with ajax but request is never sent. When you refresh page, everything is working without any problems.If you remove the application on privacy settings, refresh the page and try again -same bug happens.If you allow application, refresh page, in other tab remove application and start application in previous tab - user is asked for permissions but everything is working after allowing application.This is FBJS code
function openPermissions(){
Facebook.showPermissionDialog(/*permissions string*/, permissionOnDone);[code]......
openPermissions is called to display permission dialog, and on allow flash function allow() is called. In flash, allow() calls JS function ajaxCall(), which should make ajax request. But, ajax.post never sends request. I know that for sure, because flash function parseAjax was never called and also debugging tools in browsers are not showing any ajax requests. URL and parameters are same as when it is working. No flash or JS errors are detected...
View 1 Replies
Dec 2, 2010
I want to build an application that will allow the user to upload a movie file, then allow the user to give information about the movie (like synopsis, title, etc.) so that he or she can watch it from the server at a later time. Almost exactly like a youtube clone, for all intents and purposes.
I'm running into a problem, however, with serving up the movie to be watched. I want the user to be able to watch the movie on a variety of different platforms, including over the web in all of the common browsers, on iOS devices and on Android devices (as well as GoogleTV in the future).
I had initially planned on having the user upload whatever file formats they want, store that file, then transcode it on the fly using ffmpeg (or something similar) to serve it up to whichever device is requesting it. This is handy, because I'd be able to transcode it to a smaller size if I needed to to save on bandwidth. Unfortunately, I'm having a tough time finding a method that will do this to display the movie in a web browser.
I've tried VLC to death. I'm able to get it to stream a video on demand over RTSP, but (as I understand it), both the HTML5 video tag and Flash won't accept an RTSP stream. I haven't had any luck finding a method of streaming an on-the-fly transcoded video over HTTP, which looks to limit my options to embedding either a windows media player or quicktime. FFServer with FFMpeg has the same problem; it can create an RTSP stream, but not an HTTP stream.
View 1 Replies
Feb 6, 2012
so encore has the 'export to flash" feature. it seems like it might be a good way to go for me becasue it prodcces a flash player with all my chapter markers in place. i have a couple questions though
1. it is limited to 1280X720 - i would have to do custom flash development to overcome that?
2. how is the resulting videos that are called by the flashdvd.swf served? i mean if i have 1-2GB of video clips are they served one at a time when called by the player?
3. is there any way to get the flashdvd.swf to fallback on iOS and maintain all the funtionality ?
View 9 Replies
Jan 3, 2011
Imagine that you have a lots and lots of the same library item on stage - movieclips - and you want each of them to be clickable. Normally, you would iterate through each of these and register an event listener on MouseEvent.CLICK for each one. It seems to me that if there are large quantities of these items this could be quite inefficient - on memory mostly - to have all these event listeners. I'm trying to figure out if there's a more "central" way to do this, where your main document class just registers once with some kind of central dispatcher using a custom event? Any time ANY of the movieclips are clicked, that fires this custom event and you can just query the event to figure out which clip was clicked.
Each movieclip that is clickable extends an AS class through its linkage, and when clicked, dispatches a custom event. If I'm using the IDE to put a lot of objects on stage, and these objects have linkages to their own custom classes, I don't want to ALSO have to go into the main document class and have it iterate through these objects to register event listeners on each one. I don't really want the document class to have that much knowledge about these objects (loose coupling). I'd rather the objects "communicate" through this mediator and not really worry about knowing more about each other than what you can access through the custom event.
View 4 Replies
Feb 19, 2010
I have a Flex client that loads data from a server to display a chart. This data may change, so the client regularly repeats the request. Since the result may require some work to retrieve, I'm going to have the server detect if the result has changed, and issue a 304 status if it hasn't.I haven't seen any headers in the Flash Player's requests which would indicate that it's already handling conditional GETs. Also, the HTTPService API doesn't seem to provide anything, either. Does that mean, Flash can't do this, or how can I implement this myself?
With regards to cookies, which aren't supported in Flash, I have heard the suggestion to build my own HTTP client on top of the Socket class. This might solve this issue, too, but frankly, I'm really not keen on doing that.As an alternative, I could just cache the result page and send it again, but so far, the API tries to utilize semantics that are already built into HTTP, and I'd like to keep it that way.
View 2 Replies
Sep 13, 2010
I have a big loop in actionscript that sends lots of data to an url:
for(var i=0;i<1000;i++) {
var request:URLRequest = new URLRequest();
request.url = url;
request.method = URLRequestMethod.POST;
request.data = data;
var loader:URLLoader = new URLLoader();
loader.load(request);
}
The problem is because URLLoader can make only asynchronous calls, it sends all those thousands requests at once which kills webserver. Also it acts a bit strange on top of that. Lets say the loop is running for 5 minutes. For whole 5 minutes there is no requests coming to web server, then at the end they all are sent at once. I already tried everything I could possibly think of (empty loops, callbacks, delays) - nothing works. All requests are sent at once no matter what. How to make requests synchronous, so it will send one request after another?
View 1 Replies
Jan 26, 2011
When a client connects to an application (nc.connect) this is catched at server side using application.onConnect; so, when the client asks for a stream (ns.play) ... does this have some correspondence at server side ? Can we catch this event in some way?Or, seen from another point of view: is there any way, from within an application, to know what stream(s) the application is serving ? I mean, if we want the list of connected clients we have the application.clients array; is there any correspondence from streams ?
View 2 Replies
Jan 25, 2010
As you might know, browser's security model does not allow a script loaded in a page from http:[url]... to make cross-domain requests (no AJAX calls to any other domain other than url...).The Javascript file itself could have been served from a different domain altogether (url....) and that is irrelevant. This is the Same-Origin Policy.
Flash also has something similar? But does Flash treat the origin to be the HTML page where the .swf file was loaded or origin is the domain which served the .swf file?
So http:[url]... loads a .swf file from http:[url].... Now .swf can load resources only from [url].... or only [url....? I'm assuming there are no cross-domain.xml files setup on either [url]....
View 1 Replies
Jun 11, 2010
First off, I'm trying to fix something that I didn't build to begin with and the guy who's project it was assures me it was working fine when he left, although a version I haven't touched since he left seems to have the same issues. I'm also a bit new to programming in general so let me know if I've left out important information in my first post and I will try to add more info.
I have a flash application hosted on-line that acts as a client for a server application written in Delphi. Most of the communication is done using sockets, which work fine. Uploading data files and downloading results files is done using HTTP requests, which work fine as long as the user is making use of an instance of the server on another computer. However, if the user has the server application installed on their own computer and attempts to use it specifying localhost as the url, the socket communication still works, but the HTTP requests don't.
All the socket based communication works fine and, when it is not on the localhost, all the HTTP requests work fine as well, which is why this is so mystifying to me. I've tried changing the flash cross-domain policy file that the server dispatches to be completely permissive, all ports, all domains, all http-request-headers, and still no luck. The Flash app will sit waiting for localhost indefinitely most of the time until I close the server application, and then give this error message:
[Code]...
View 1 Replies
Oct 16, 2011
I am finding that if I load Flash from a HTTPS page [URL] and try to make a request within ActionScript 3 to [URL] the request does not go through. Same goes for the opposite (accessing https from a http-loaded flash script).
The request is failing, the requested data (passed from a PHP script) is not loading.
Now at first I assumed the trouble was with cross-domain policy files, but I have fixed that issue (I think).
Is there any security policy in Flash (CS5 btw) on HTTP vs HTTPS requests based on where the script is loaded from?
View 1 Replies
May 24, 2009
We have installed Flash Media Server on a Linux machine.It has 2GB of RAM,Fedora 9 with kernel 2.6.27.5-41.fc9.i686, the install required a few packages (compat-expat1 was one) to be installed before we saw the sample page. The sample page takes a few minutes to load and opening the page to connect to the admin console is about the same.
This is currently on our internal network while we try and see how it works. Are there any specifc TCP related kernel tuning parameters (eg in sysctl.conf) which need to be put in place over and above the out-of-box configuration. Any troubleshooting hints which might identify the problem. The install seemed ok nothing in /var/log/messages and checking to see what is running (ps aux | grep fms) I see
./fmsmaster -silent/opt/adobe/fms/Apache2.2/bin/httpd -f ./conf/httpd.conf -d /opt/adobe/fms/Apache2.2 -k start/opt/adobe/fms/fmsedge -edgeports :80,1935 -coreports localhost:19350 -conf /opt/adobe/fms/conf/Server.xml -adaptor _defaultRoot_ -name[code]....
but when we clear our browser cache and go to a page it is taking forever.It is taking about 5 minutes to open up the initial page, but when it is open the videos all seem to come through fine.The server previously had apache on it but I removed that copy and went with the version included with FMS.
View 3 Replies
Feb 9, 2012
We noticed that when we are streaming our own VOD file that we had copied to the server, which is an .MP4 file encoded at 1200 kbps using either HDS or RTMP (, which I suppose the server recodes on the fly ) we are getting the incoming stream at the average bitrate of 14 Mbit/s, and it looks like bursts of 25 Mbit every couple of seconds.
However if we try a sample file, such us sampl1_1500kbps.f4v we are getting an average of 1.2 Mbit/s with peaks of 1.5-2 Mbit. The tests are conducted in our company LAN. So what is the reason for this? And is there a way to control/restrict the output bandwidth for our own file without re-encoding? I'm not talking about several streams with different bitrate for the same source aka adaptive bitrate but rather about the single stream bw)
View 1 Replies
Nov 7, 2010
I'm desperately trying to solve this one. I have a bunch of files stored outside of the webroot and I need to serve them to a user after a few auth checks. These files have been uploaded using a Flex application or have just been manually uploaded through FTP. I have a serving script that looks something like:
[Code]...
I imagine this could be on the Flash side, but honestly it's dirt simple. I just don't see where the extra data is coming in, and why its corrupting the file. Anyone know why this is happening? or better yet, how I can clean these files up now?
View 1 Replies
Jan 24, 2011
I'm using YUI file uploader based on flash, and the flash requests host/crossdomain.xml file. I'm requesting localhost and it requires this file. I was using this before and I have never had this problem and I've never had this file on my server.I've never used any adobe technologies, could please anybody tell me if it is possible to turn it off somehow ?The problem is that I can't have the file on my server, at least at root location...
View 2 Replies
Aug 20, 2011
I am hosting images on Amazon S3 and using them in my Flash application. My application receives signed S3 urls that point to the images in S3. The URL looks something like this (line breaks added for clarity):
[Code]...
The problem here is with the + sign that can occur in the Signature. If I send the + sign as-is, then the browser thinks that it's a space, as it should according to the URL specs. Really, S3 shouldn't use + signs for this reason, but it seems to be something they overlooked. Normally this isn't a problem since you just replace the + sign with a %2B. However, Flash has some default behavior that makes this difficult.
From what I can see, the URLRequest object is setup to always encode URLs as if it was passed through the encodeURI function. I don't see any way to turn this off. Unfortunately, encodeURI doesn't encode + signs, but it does encode % signs.
This means that if I leave the + sign in there then Flash leaves it alone and S3 thinks I have a space in my URL. If I use %2B then Flash turns it into %252B, due to encoding the
View 1 Replies
Dec 18, 2011
By far the weirdest thing I've ever seen. On some machines (!) IE (!!) attempts to load an SWF file via HEAD request instead of GET. This happens only when the page is running in Facebook IFRAME application - when running solo works fine. Naturally, on FF and Chrome everything works just fine. The SWF is embedded using jSWFObject. There's no visible common feature to the machines which experience this problem - laptops, desktops, XP, Vista, 7.
View 1 Replies
Jun 13, 2011
I need to serve live video streams to Flash players, Apple devices, and Android and Blackberry handhelds. Right now I'm using FMS (actually, the CDN I stream through is running FMS), and configuring Wowza Media Server to suck the Flash stream from FMS and reprocess it for Apple, Android, and Blackberry. It works well, but it's kind oif a PITA having to have a separate server just to handle mobile devices.
Is anyone aware of any plans to release a version of FMS that will stream directly to Apple and Android? I saw a video clip on Techtilt of an Adobe presentation at NAB where they were showing live streaming to iPad, but that clip didn't way anything about when we might actually see that version of FMS become available.
View 1 Replies
Dec 13, 2011
When I scale a movie clip that includes text and do a tween, the text kind of wiggles around as it resizes. It doesn't look smooth at all.
View 1 Replies
Apr 27, 2010
Is it possible for flash to open ports to listen for messages from the remote server? If so, how?
View 2 Replies
Mar 25, 2010
is ajax/ javascript functions accessible from flash? in games like those at mindjolt it is irritatitng to wait for the flash file to load and initizalize and then have the page change to the scores page again
i was windering if its possible to use ajax from flash? so the flash game sendds the score/ result to the page and only parts of it change, (developers can even choose to force pause the game for 5 seconds so the user registers/ submits score etc)
and then can continue. now what happens in page changes, then you need to return to the page and wait for flash swf file to load again ...
View 2 Replies
Mar 15, 2012
Here is an issue i'm struggling to solve for quit some time now.I have a python + GAE backend with a flex client that communicates via JSON. I'm using flex's HttpService bound to a Responder with result and fault callbacks. When python raises an exception, I don't seem to get it in flex. I did some research and found out that the problem probably lies in the fact that the flash runtime cannot handle http responses with status code other than 200.
View 1 Replies
May 18, 2009
a client hosts numerous sites at MT, I've built a few Flash sites that exist on his server. For some reason, the server is over-running due to an internal loop that is basically the domain requesting itself over and over. can this potentially happen via the player itself somehow making numerous requests.
View 2 Replies
Oct 1, 2009
I've been searching for a way to make a customized AJAX window, functioning so that when you click a link, an informational window pops up and the rest of the page is greyed out
View 1 Replies
Dec 11, 2009
I am looking for someway to do Flash type movies but with AJAX instead? Flash requires plugins, SEO is difficult and my experience is people tend to stay away from Flash websites unless they are really really good. [URL]
View 4 Replies
Apr 14, 2010
How can we get data from the server in an asynchronous way in Flash? I am looking for something like XHR in actionscript.
View 2 Replies
