code!

This blog is moving…

Bob de Wit — Tue, 04 Dec 2007 18:13:01 +0000

I got more than a little tired of having to format code using no-plugin WordPress, so I set up my own.

MySpace/GetURL Solution: Not Perfect, But Stylish

Bob de Wit — Thu, 22 Nov 2007 13:13:02 +0000

Note: this article is no longer maintained on this site.I got more than a little tired of having to format code using no-plugin WordPress, so I set up my own. For updates & submitting comments, please check www.active6.com/blog

Like most Flash developers, I was grinding my teeth when MySpace unilaterally decided to disable getURL() calls from Flash movies on their network. I was -and still am- convinced that the least MySpace could have done was to set up a program for Flash widget designers with good intentions in stead of hurling everyone back to the stone age (read: HTML links).

Today I finished a new artist site for MySpace and I decided to dig a little deeper into the problem. But first, maybe for those not familiar with the origin of the problem, a little overview.

Last year MySpace was attacked by a flash based worm. In response, MySpace has forced all flash movies to be played in version 9 of the Flash player. This version introduces several new network security features. The one relevant for the MySpace getURL issue is the parameters allowScriptAccess (already introduced in Flash player 6, but now enforced in version 9). MySpace disables links from flash including getURL by appending or overriding the following properties to your object tag:

name=“allownetworking” value=“internal” />
name=“allowScriptAccess” value=“never” />
name=“enableJSURL” value=“false” />
name=“enableHREF” value=“false” />

Possible values of allowNetworking are:

“all” (the default)–All networking APIs are permitted in the SWF.
“internal”–The SWF file may not call browser navigation or browser interaction APIs, listed later in this section, but it may call any other networking APIs. This one is enforced by MySpace.
“none”–The SWF file may not call browser navigation or browser interaction APIs, listed later in this section, and it cannot use any SWF-to-SWF communication APIs, also listed later.

Hence the getURL() problem. The command simply hits the security wall. Additional frustration is that the getURL() simply fails without any error being raised. Utterly frustrating.

So what can be done? Well, several people apparently tried write the code in such a way that the MySpace parser would be “tricked” into not inserting the tags. And although some of these attempts had success, each of these parser gaps was quickly nerfed by MySpace. No long-term solution there.

So let’s reverse the problem for a moment. In stead of focusing on what MySpace can block us from doing, what can MySpace NOT block without rendering all pages neolithic? Well, from that perspective, they can’t:

block Flash movies altogether. Bye galleries, music players, movie embedding? Don’t think so.
block Flash movies from accessing files in the same domain for the same apparent reason.
block basic HTML elements.
, and will always be there

Given this shortlist, some people looking for a more permanent solution have come up with overlaying a

containing a transparent gif on the Flash movie, thus enabling a link. While this approach works fine for simple flash sites, what to do for really dynamic Flash sites where things move, appear and disappear all the time? Could we make the overlaying link dynamic in some way?

Yes we can, though it’s not perfect…but a Flash designer can certainly work it into his/her designs in such a way that it will look just like Flash.

Take a look at my artist site – pop up the friends page, this will parse the friends list from MySpace and display this list in a Flash grid. Click on any of the icons, and you’ll see a link message appearing. Click on the link message and you’ll be taken to that profile. Come back, click another one in the friends list, click the link message again – you’re taken to the new profile you selected.

How does this work? Well, there’s three components: obviously an overlaying

, and 2 simple scripts. I’ve used PHP, but you can easily duplicate this in any other language.

Let’s start with the

part. Here’s the relevant code from my profile page:

Notice the transparent wmode parameter. And then we add an overlaying transparent GIF on top of the Flash movie:

As you can see, the transparent GIF links to a PHP script on my server called redirect.php. But how does the script know what to redirect to?

Well, even if we can’t do direct linking from our Flash file, nothing stops us from passing the desired link to a script that stores it into a session variable. Since this session is tied to the browser, all the redirect script would need to do is pick up the session variable and redirect the user to whatever is stored in that variable.

This implies passing the desired link from within your Flash movie to the redirect script. Here’s what happens in the Flash movie when you click on one of the friend icons in the list:

on (release)
{

if (_root.MySpace == 1 )
{

wcap = “Click here to visit ” + this.caption.text;
_root.ByPassCaption = wcap.toUpperCase();
_root.ByPassLink._visible = true;
wurl = “http://sites.sitelinx.net/carbonbass/setlink.php?url=” + escape( “http://profile.myspace.com/index.cfm?fuseaction=user.viewprofile&friendID=” + this.id );
LV = new LoadVars();
LV.load( wurl );

}
else
{

getURL( “http://profile.myspace.com/index.cfm?fuseaction=user.viewprofile&friendid=” + this.id, “_blank” );

}

}

The Flash script first determines wether is is running from a “normal” server or from MySpace. This can simply be done by passing a variable to the flash movie, like src=”movie.swf?MySpace=0″. For a normal server, it simply calls the getURL() script. In this way, you can use the same swf for your regular as well as for your MySpace site.

When running from myspace, the script creates a LoadVars object and calls the script setlink.php, passing the url the user selected. The essence of the script is extremely simple:

session_start();

$url = $_REQUEST['url'];

$_SESSION['url'] = $url;

It stores the passed url in the user’s session variable. Then all the redirect.php script does is pick up the url and jumps to it:

session_start();

$url = $_SESSION['url'];

header(“Location: $url”);

And there you have it – a dynamic HTML link overlay thanks to user session variables. Only drawback is you need to click twice. As I said: not perfect, but at least I can use dynamic links again in Flash on MySpace.

AutoIT with Flex GUIs using the AS3 ExternalAPI

Bob de Wit — Sun, 14 Oct 2007 21:11:46 +0000

I recently started writing a clan tool for my kinship in the Lord Of The Rings Online (LOTRO) using the open source macro programming language AutoIT 3. As the GUI functions of this language are really limited and it’s very time-consuming to create even a simple GUI, I checked if there was a way to use Flex as the GUI. I ended up with something endlessly more versatile than what the Adobe AIR project allows with regard to interfacing with the Win32 API.

In this article I’ll go through the basic principles of SWF embedding into AI3, but bear in mind this principle can be applied to any development language that supports ActiveX embedding.

About AutoIT

AutoIt is a freeware Windows automation language written in C. It can be used to script most simple Windows-based tasks (great for PC rollouts or home automation). AutoIt has been in popular use since 1999 and continues to provide users and administrators with an easy way to script the Windows GUI. In February 2004 the latest version of AutoIt – known as AutoIt v3 – was released and added powerful scripting features.

AutoIt v3 was developed in a small team with the help of contributors around the world and this has led to a great set of help files, examples, support forum, mailing list, editor files, and third-party utilities. Check out www.autoitscript.com

About The ActionScript 3 External API

This API is Flash 8’s new replacement for fscommand and setVariable or getURL. Although primarily intended for flash-javascript communication, it’s perfect for embedded SWFs in applications. The ExternalInterface can be used to communicate from a Flash or Flex .swf file to any kind of a supported container. The ExternalInterface Class is only available from Flash 8 and above and will work only in Flash Player 8 and above.

The External Interface API enables sending and receiving as many arguments as we want or none. With the old fscommand only 1 and at least 1 string could have been sent to an external function.The API supports arguments of the types: Boolean, String, Number, Array, and Object. XML is used as the transfer format.

Calling AutoIT from Flex

To call any external function, simply include the API library in your Flex (or Flash) project:

import flash.external.ExternalInterface;

then call the externally defined function, for example to call the AI3 function CallAI3(Parameter), do as follows:

ExternalInterface.call(“CallAI3″, Parameter );

Flex will call a function via the container called FlashCall( ). In AutoIt, you can set the function to be called from an ActiveX control with a prefix for the function like this:

$SinkObject=ObjEvent($oFlex, “Flex_”) ;

and then define the function as such:

Func Flex_FlashCall( $xml )

MsgBox( 1, “We received a call from Flex”, “Full XML:” & $xml )

;In theory, we can now set return value(s) in XML format – however, in Flex this doesn’t seen to work.
;So we can send whatever series of values as a separate result function call back to Flex.

$oFlex.CallFunction(‘This is the return value for your call to FlashCall()’)

EndFunc

Calling Flex From AutoIT

As you can see, for the moment, the setting of return values does not seem to work in Flex. So we must define a callback entry in Flex for passing the return value the same way as for any Flex function being called. For example:

ExternalInterface.addCallback( “AI3Call”, AI3Call );
ExternalInterface.addCallback( “AI3CallReturn”, AI3CallReturn );

Then simply define the function to be called and the return callback function:

private function AI3Call( message:String )
{
doSomethingWith( message);
}

private function AI3CallReturn( message:String )
{
doSomethingWithReturnValue(message);
}

Complete AutoIT Code

;Go into event capturing mode in stead of standard messaging mode
Opt(“GUIOnEventMode”, 1)

;Set busy for GUI event loop
global $busy = true

;External SWF File Name (assumed in same folder)
$swffile = “externalAPI.swf”

;Create the Shockwave Flash Object – this can contain Flex as well as Flash SWF Files
$oFlex = ObjCreate(“ShockwaveFlash.ShockwaveFlash”)

;Create the AutoIT GUI Window
$hModWnd = GuiCreate(“Flex External API Demo”, 400, 400, -1, -1, -1 )

;Create the ActiveX Container
$GUIActiveX = GUICtrlCreateObj( $oFlex, 0, 0 , 400, 400 )

;Set up event handling for Flex externalAPI calls
$SinkObject=ObjEvent($oFlex, “Flex_”) ;

;Set up COM error handling
$oMyError = ObjEvent(“AutoIt.Error”,”COMErrFunc”)

;Initialize the Flex ActiveX
With $oFlex; Object tag pool
.Movie = @scriptdir & ‘\’& $swffile;
.ScaleMode = 3; 0 showall, 1 noborder, 2 exactFit, 3 noscale
.bgcolor = “#000000″;
.Loop = False
.wmode = “Opaque”; Opaque / transparent
.allowScriptAccess = “Always”
EndWith

;Set close handler for AI GUI
GUISetOnEvent($GUI_EVENT_CLOSE, “closeTest” )

;Show the GUI
GUISetState ()

;Now call the Flex defined function AI3Call()
$oFlex.CallFunction(‘Hello Flex!’)

;Loop until closed
while $busy
sleep(10)
WEnd

;The ExternalAPI Callback handler – the function that Flex will try to invoke is called FlashCall
;We have defined “Flex_” as a prefix here: $SinkObject=ObjEvent($oFlex, “Flex_”) ;
Func Flex_FlashCall( $xml )
;Create an XML DOM Parser with the call XML string
_XMLLoadXML( $xml )

;Get the invoked function name
$invokedFunction = _XMLGetAttrib( “/invoke”, “name” )
MsgBox( 1, “Invoked Function Name”, $invokedFunction )

;Get the first (and in this case the only) parameter
$parameters = _XMLGetValue( “/invoke/arguments/string” )

MsgBox( 1, “We received a call from Flex”, “Invoked Function: ” & $invokedFunction & @CRLF & “Parameter: ” & $parameters[1] & @CRLF & “Full XML:” & $xml )

;In theory, we can now set return value(s) in XML format – however, in Flex this doesn’t seen to work.
;So we can send whatever series of values as a separate result function call back to Flex.
$oFlex.CallFunction(‘This is the return value for your call to FlashCall()’)
EndFunc

;Close GUI Event Handler
Func closeTest()
$busy = false
GUIDelete()
EndFunc

; COM error handler
Func COMErrFunc()

Msgbox(0,”AutoItCOM Test”,”We intercepted a COM Error !” & @CRLF & @CRLF & _
“err.description is: ” & @TAB & $oMyError.description & @CRLF & _
“err.windescription:” & @TAB & $oMyError.windescription & @CRLF & _
“err.number is: ” & @TAB & hex($oMyError.number,8) & @CRLF & _
“err.lastdllerror is: ” & @TAB & $oMyError.lastdllerror & @CRLF & _
“err.scriptline is: ” & @TAB & $oMyError.scriptline & @CRLF & _
“err.source is: ” & @TAB & $oMyError.source & @CRLF & _
“err.helpfile is: ” & @TAB & $oMyError.helpfile & @CRLF & _
“err.helpcontext is: ” & @TAB & $oMyError.helpcontext _
)

Local $err = $oMyError.number
If $err = 0 Then $err = -1

SetError($err) ; to check for after this function returns
Endfunc

Complete Flex Code

import mx.controls.Alert;
import flash.external.ExternalInterface;

private function init():void
{
ExternalInterface.addCallback( "AI3Call", AI3Call );
ExternalInterface.addCallback( "AI3CallReturn", AI3CallReturn );
}

private function AI3Call( message:String )
{
this.response_tx.text = message;
}

private function AI3CallReturn( message:String )
{
retval_tx.text = message;
}

private function MoreInfo():void
{
navigateToURL(new URLRequest("http://livedocs.adobe.com/flex/2/docs/wwhelp/wwhimpl/common/html/wwhelp.htm?context=LiveDocs_Parts&file=00001971.html"), "_blank");
}

private function SendToAI3():void
{
ExternalInterface.call("CallAI3", Send_tx.text );
}

]]>

Using the Wimpy Player in Flex

Bob de Wit — Tue, 07 Nov 2006 15:11:56 +0000

This one took some digging. The Wimpy Player uses the ActionScript 2.0 _root variable for configuration, and this has of course been deprecated in AS 3.0.

Wimpy expects some variables to be defined at _root level: the filename of the Wimpy Player (usually wimpy.swf) and the name of the wimpy Configuration XML file (wimpyConfigs.xml).

Since there is no way to pass this information from Flex through an Image or SWFloader element, I decided on using an intermediate Flash file, much like the WimpyLoader example that can be found on the Wimpy Site for embedding Wimpy into Flash. However, I wanted to construct it in such a way that anyone who doesn’t have Flash could use this Flex Loader without having to adjust the dimensions in the source file depending on the Wimpy Player skin used (and as a result, recompile the loader in Flash). You can see the result on my MySpace artist pageYou will need my preloader. You can get a trial version of the Wimpy Player at www.wimpyplayer.com.

The following files need to be in the same folder as the Flex SWF File:

The preloader (player.swf)
The Wimpy player (wimpy.swf)
The Wimpy Player skin and its resource files
The Wimpy Configuration file (wimpyConfigs.swf)

Controlling Wimpy

Fortunately, all Wimpy controls can be set from the wimpyConfigs file. It will look something like this:

wimpy.swf
playlist.xml
skin_tube.xml
no

no
no
no

yes
off
no
no
no
yes
3
100
0

no
no
goodies,playlister_output,skins,getid3,_notes,_private,_private,_vti_bin,_vti_cnf,_vti_pvt,_vti_txt,cgi-bin
skin.xml,wimpyConfigs.xml

coverart
jpg

Music
yes
000000
no
no
no
_blank

no

As you can see the wimpySWF, wimpyApp (the playlist) and the skin have been set to simple filenames so they need to be in the same folder. I’ve tried using URL’s, but I kept running into security sandbox errors, even if I allowed all domains in the Flash preloader file.

The rest of the configuration items in the wimpyConfigs.xml are not relevant to this article and can be explored in the Wimpy documentation.

Getting Wimpy into Flex

The essence of the Flex code looks like this:

public var wimpyWidth:int = 244;
public var wimpyHeight:int = 422;
public var wimpyDefWidth:int = 480;
public var wimpyDefHeight:int = 140;

Security.allowDomain( ["flex.active6.com","mymp3source.com"] );

public function initWimpy(): void
{
wimpy.scaleX = wimpyWidth/wimpyDefWidth;
wimpy.scaleY = wimpyHeight/wimpyDefHeight;
}

]]>

OK, that’s not too difficult, is it? Let’s go over the main lines…

We’ll need some dimensions

public var wimpyWidth:int = 244;
public var wimpyHeight:int = 422;
public var wimpyDefWidth:int = 480;
public var wimpyDefHeight:int = 140;

I start by defining some size variables that we’ll need. The first two define the actual width and height of the skin that I’ll use for Wimpy (it’s the Tube skin readily available in the Wimpy skin download section). It’s dimensions are 244×422.

The second dimensions are the default dimensions of the Wimpy player without any skin loaded. We’ll need these because we’re going to dynamically resize the Wimpy player movie within our Flex file because we don’t want to recompile the preloader every time.

If you want to play MP3 files that are not on the same domain…

Security.allowDomain( ["flex.active6.com","mymp3source.com"] );

This is needed because I’m going to pull in mp3’s from a fictuous site called mymp3source.com.

Using an Image Tag to load Wimpy

autoLoad=”true” scaleContent=”true” source=”player.swf” top=”100″ right=”20″/>
This defines a Flex Image component that will load the preloader (and the preloader will load Wimpy). The initial dimensions MUST be set to the default Wimpy width and height. When the preloader is initialized, we will call the initWimpy() function. scaleContent MUST be set to true.

Getting Wimpy to resize properly

public function initWimpy(): void
{
wimpy.scaleX = wimpyWidth/wimpyDefWidth;
wimpy.scaleY = wimpyHeight/wimpyDefHeight;
}
initWimpy() dynamically resizes the Wimpy player to the skin dimensions. You are wondering why we still need to do this even after we set scaleContent for the image to true? Well, it’s because the Wimpy Player is embedded into a movieClip in the preloader and redimensions itself based on the width and height it gets from the skin XML file. Redimensioning the preloader by setting its width and height does not trigger the embedded Wimpy player to resize. My guess would be that in the Wimpy code Stage.scaleMode is explicitly set. So you have to use scaleX/scaleY to get to PreLoader->Wimpy.

Enjoy!

And there you have it: a reusable preloader for Wimpy that doesn’t require recompiling to use another skin.

Using the PEAR PHP XML Serializer class with Flex

Bob de Wit — Mon, 06 Nov 2006 14:53:51 +0000

PEAR is a framework and distribution system for reusable PHP components. The code in PEAR is partitioned in “packages”. Each package is a separate project with its own development team, version number, release cycle, documentation and a defined relation to other packages (including dependencies). Packages are distributed as gzipped tar files with a description file inside, and installed on your local system using the PEAR installer.PEAR contains PHP classes that are perfect for serializing data to be passed to a Flex application. Unfortunately, there is currently no package that would allow automatic installation for a Flex/PHP developer that wants to use the PEAR XML Serializer functionality.

In this article, I am going to describe how to do a local tweak and installation of the PEAR XML classes on a server that does not have PEAR pre-installed. Even if your server has PEAR installed, this approach will work.

Getting the Necessary PEAR Files

The PEAR files you will need for Flex are:

PEAR.php
XML_Serializer.php & XML_Unserializer.php
XML_Util.php

You can obtain these from the PEAR Package listings, but I have attached the modified files for you here.

Modifying the Include Statements

If you do not wish to reproduce the PEAR Package folder structure, you must edit the XML_Serializer.php and XML_Unserializer.php files for the path of the PEAR library:

/**
* uses PEAR error management
*/
require_once ‘PEAR.php’;

/**
* uses XML_Util to create XML tags
*/
require_once ‘XML_Util.php’;

Introducing the Serializer Class

The XML_Serializer.php contains a class definition that allows for a wide range of XML files to be generated from PHP variables, arrays and objects. The generation mode is controlled by passing an array of parameters that is passed to the constructor of the class.

The most important parameters you should include are the overall container tag of the XML data and the item tag name.

Application Example

Let’s take an example. I’ve been working on something like this for the MySpace Page of a record label. Let’s say you want to display a list of your MySpace friends in your Flex application. You have a MySQL table with all your friends data, such as:

Friend Number
Friend Name
Image
etc

Getting the Friends data From MySQL

We would load this data into an array of objects in a PHP script called getfriends.php using the following code:

//Connect to MySQL, assuming we have already
//defined the Database Login Parameters as constants
$dbLink = mysql_pconnect(DB_HOST, DB_USER, DB_PW);

//Create an array to hold the friends query result
$friendsList = array();

//Execute the MySQL Query and process into an array
$sql = “SELECT * FROM friends”;
$result = mysql_query($sql, $dbLink);
if ($result)
{
while ($row = mysql_fetch_object($result))
{
array_push($friendsList, $row);
}
mysql_free_result($result);
}

Creating the Flex Request and Tile Display

We would create a HTTP Request tag in our Flex application like this:

url=”http://localhost/MySpace/php/getfriends.php”
useProxy=”false”
method=”GET”
result=”friendHandler(event)”>

And create a TileList to display the friends data:

columnCount=”1″
rowHeight=”120″
dataProvider=”{friendslist.lastResult.friends.friend}”
id=”FriendsTileList”
itemRenderer=”FriendListItem” />

Where it comes together: the dataProvider

As you can see, the TitleList uses the following dataProvider:

friendslist.lastResult.friends.friend

This means the expected XML format would be something like:

51930230
Derrick May
derrickmay
Derrick May
Techno / House / Club
14536
64247
2006-10-11
http://myspace-728.vo.llnwd.net/01007/82/77/1007837728_s.jpg
DETROIT
Michigan
US
2006-01-27

63740153
Plastikman
plastikman
Plastikman
Techno / Electronica / Ambient
1
12955
52482
2006-10-11
http://myspace-786.vo.llnwd.net/00577/68/77/577847786_s.jpg
Windsor
Ontario
Canada
2006-03-18

Getting the PEAR XML Serializer to generate the expected XML

In order to have the XML class generate code from our getfriends.php result array we initialize a Serializer with the following options and have it generate the XML based on the $friendsList array:

$options = array(
XML_SERIALIZER_OPTION_XML_DECL_ENABLED => false,
XML_SERIALIZER_OPTION_DOCTYPE_ENABLED => false,
XML_SERIALIZER_OPTION_INDENT => ” “,
XML_SERIALIZER_OPTION_LINEBREAKS => “\n”,
XML_SERIALIZER_OPTION_TYPEHINTS => false,
XML_SERIALIZER_OPTION_XML_ENCODING => “UTF-8″,
XML_SERIALIZER_OPTION_ROOT_NAME => “friends”,
XML_SERIALIZER_OPTION_DEFAULT_TAG => “friend”
);

//Instatiate the serializer object
$serializer = new XML_Serializer($options);
$serializer->setErrorHandling(PEAR_ERROR_DIE);

//Serialze the data
$result = $serializer->serialize($array, ‘friend’);
$xml = $serializer->getSerializedData();

//Return the xml to the Flex application
echo( $xml );

And that’s all there’s to it.

Flex / PHP Security Basics – Part One

Bob de Wit — Sun, 05 Nov 2006 14:53:49 +0000

I’ve been creating Flash / PHP web sites and applications for years, but I am relatively new to Flex. After browsing the Adobe PHP samples for Flex earlier this week, I couldn’t help but notice that some of this code could prove extremely hazardous if used in a public Flex site. This is no criticism, but since these examples will be read by virtually anyone who want to use the PHP / Flex tandem, it’s probably not a bad idea to go over the security basics. I just love PHP. It’s a great language for rapid development of dynamic site and application backends. Combined with the RIA power of Flex 2, there’s no end to what you can do. But – as for every web programming language, security considerations for designing even the simplest web sites with Flex and PHP are crucial and often overlooked. This article makes some assumptions that on first look may linger on paranoia, but you should always remember the following when developing PHP / Flex apps:

It’s dead easy to decompile a Flex or Flash file. The file format is public and many decompilers exist.
It’s equally easy to monitor requests and results from a Flex app to and from the server. This and the above make it a breeze to get the URI’s and expected parameters for your PHP scripts.
Most Flex/PHP tandem applications will expect and return clean, simple XML data. This data can be parsed easily to see if any security holes can be exploited.

Many PHP features can lead to security holes. The PHP.net site as well as independent security initiatives (such as phpsec.org, the PHP Security Consortium) have identified a small dozen of “Top Security Blunders” that keep popping up. We’ll go over these from a Flex perspective in this article. Understanding each possible flaw will help you avoid making the same mistakes in your PHP applications.

Unvalidated User Input

This may seem paranoid – but one of the most important rules of thumb for web development is that any data sent by a user should be considered as potentially malicious. Ignoring this leads to most of the exploits we’ll review. Let’s say we want construct a login panel. I’ve removed the unessential layout code:

{userid.text}{password.text}

import mx.rpc.events.ResultEvent;
import mx.controls.Alert;

private function userLoginHandler(event:ResultEvent):void
{
if ( event.result.userLogin.loginresult == 0 )
{
Alert.show( "Login Failed" );
}
else
{
Alert.show( "Login Succeeded" );
}
}

private function buttonLoginClick(): void
{
userLogin.send();
}
]]>

and here’s the corresponding simplified login.php code:

$search= $_REQUEST['search'];

$dir= dir( $search );
…
?>

This PHP code is not secure. The $_REQUEST variable is assigned without any validation. A malicious user might append something like “;rm -rf *” and delete your web site folder. You must ensure that the user input is valid and nothing more than what is expected. Do not only use Flex-based validation for this: there are many HTTP monitors and SWF decompilers readily available to hackers that permit modifying your Flex file. You need to add PHP code to ensure that the information the user provides is valid, like so:

$search= escapeshellcmd($_REQUEST['search']);
?>

escapeshellcmd() escapes any characters in a string that might be used to trick a shell command into executing arbitrary commands.

SQL Injection

SQL injection is another type of unvalidated user input. It allows exploitation of a database query. For example, you would check a userid/password set received against a user table. In MySQL, this would look something like:

SELECT * FROM users WHERE userid=’$userid’ AND password=’$password’;

A malicious user could enter “admin” as the userid and the following as his password:

‘ OR ‘1′=’1

This results in the following query:

SELECT * FROM users WHERE name=’admin’ AND pass=’‘ OR ‘1′=’1′;

This bypasses validating the password – the user has gained entry as the administrator. We need to neutralize malicious entries from the submitted values. In many PHP installations, this is already taken care of by the magic_quotes_gpc setting in the php.ini file. You can check this by using the phpinfo() function. In case magic quotes is set to Off, you must use PHP’s addslashes() function:

$userid = addslashes($_REQUEST['userid']);
$password = addslashes($_REQUEST['password']);

However, there is one unfortunate side-effects to this setting being enabled: every value passed back to your PHP scripts will have slashes added. I won’t go into a discussion on what is the best setting here, because it really depends on the system you’re building. (You can check the PHP documentation for details).

As a rule of thumb, always check the status of magic_quotes_gpc and, if it is turned on, pass all input through PHP’s stripslashes() function. Then apply addslashes() to values for use in database queries.

if (get_magic_quotes_gpc())

{

$_REQUEST = array_map(’stripslashes’, $_REQUEST);
}

SQL injection also allows malicious users to get to your database records. Always check (case-insensitive!) data that will be used in a query for the characters ‘”,;() and for keywords like “FROM”, “LIKE”, and “WHERE”.

OK, that concludes the first part of this article. In part two, we’ll go into some other potential security holes like error reporting and safe mode.