As I mentioned in my last video tutorial on AMFPHP, I want to take a few minutes and talk about the steps you can take to make it as secure as possible. Most of what I’m going to share was taken from a blog post written by Wade Arnold. One important thing to note right off the bat is that I will be talking about security as it relates to AMFPHP 1.9 and higher. If you are using an earlier version you will want to check elsewhere for the details for you specific version. So without further adieu, here are the steps to better AMFPHP security:

Delete the Service Browser
If you’ve watched my tutorials you know that the Service Browser is that Flex application that allows you, or anyone else for that matter, to see all of the services and methods you have available. For obvious reasons you will want to delete this on your production machine. You don’t want random people seeing all the goodies that you have exposed. To get rid of it simply delete the browser folder that is located in your AMFPHP root directory.

Delete the DiscoveryService service
The DiscoveryService service is included when you install AMFPHP. When you go to the Service Browser for the first time you will see it as the one and only service. This service exposes methods that give all the details about the services and methods you have available. In that sense it is very much like the Service Browser itself and should be deleted for the same reasons. From your AMFPHP root directory, go into the services folder. From there either delete the entire amfphp folder or just the DiscoveryService.php file which is located inside of it.

Set the PRODUCTION_SERVER property
The PRODUCTION_SERVER property is located in the gateway.php file which is located in the root AMFPHP folder. This property is set to false by default but should be set to true in production environments. This will disable things like remote tracing and debugging headers. Open gateway.php and set the property like so:

106
107

//define("PRODUCTION_SERVER", false);
define("PRODUCTION_SERVER", true);

Run over SSL if possible
I’m definitely not a server geek so don’t ask me how you would do this. But the idea is that the data going back and forth between Flash and AMFPHP will not be plain text and this would of course make it much harder for people to be able sniff out the actual data.

Running the beforeFilter
In AMFPHP 1.9 there is a new feature which will allow you to authenticate the calling client to make sure they have the right access level to call the service. Basically you define a function in your service class named beforeFilter using the signature below:

1

public function beforeFilter($function_called)

This function will be called before your service method which was called by the client. If this function returns true, then the service method is called. If not, then a security error is thrown. It is inside this function that you can do some type of authentication. Joshua Ostrom has a nice blog post that goes into more details on this.

General PHP security
Since AMFPHP and all of the services you expose with it are nothing more than PHP files, you will want to familiarize yourself with some basic PHP security guidelines. Preventing SQL injection is one of the biggest areas that you need to make sure you protect against. There are many good articles on the web that explain how to prevent this attack. If you do a lot of PHP work, do yourself a favor and pick up a book like Essential PHP Security to make sure that you are being safe.

Lee

12 Comments

I just finished uploading the second part of the AMFPHP tutorial. In this one I show you how you can directly return a MySQL result set to Flash CS3. It’s amazing how much easier it is than writing out a bunch XML. I also go into the basics of using the Flash CS3 debugger to view and parse the ArrayCollection that AMFPHP returns. Go and check it out at http://www.gotoandlearn.com and let me know what you think.

One thing I neglected to mention in the tutorial is that when you debug your movie in Flash you will get the “Your SWF is attempting to access the internet” window. You will need to go to the Flash settings page add it to the allowed list.

15 Comments

Since my last couple of posts and tutorials have been focused on PHP, it is good timing to tell you that AMF will soon be coming to the Zend Framework. Much like AMFPHP, the proposed Zend_Amf component will make communication between Flash and PHP lightening fast. What’s even better news is that the guy Zend has advising them on implementing AMF is none other than Wade Arnold, who runs the AMFPHP project. Look for a lot more news on this as it becomes available. This is an exciting step towards solidifying the relationship between PHP and Flash.

Lee

12 Comments

As promised, here is the first in a series of tutorials on using AMFPHP. In the tutorial I show you how to download and install AMFPHP on your web server. From there we build a simple PHP service class that sends email. Finally we go into Flash and write the ActionScript code needed to call the the AMFPHP service. Go and check it out at http://www.gotoandlearn.com and let me know what you think.

40 Comments

I am currently working on a series of tutorials on using AMFPHP and I thought it would be a good idea to write a post explaining what AMF actually is. AMF is an acronym that stands for Action Message Format. Here is the official definition that I got directly from the AMF specification document:

“Action Message Format (AMF) is a compact binary format that is used to serialize ActionScript object graphs. Once serialized an AMF encoded object graph may be used to persist and retrieve the public state of an application across sessions or allow two endpoints to communicate through the exchange of strongly typed data.”

While that description is helpful, it is still a little confusing in my opinion. The easiest way to think of AMF is that it is the fastest way to send and receive data between your Flash movie and a web server. The reason that it is so fast is that the data is compressed and is in binary format. Most Flashers are very familiar with the methods of exchanging data with a server using XML. This is still a good approach for a lot of situations, but when large amounts of data are involved, AMF is far superior.

AMF is actually used internally by the Flash Player is many situations. One example is that Flash uses AMF to represent the binary data stored using the ByteArray class. But the main thing that Flash developers need to be concerned with is how to use AMF to send and receive data with their web server. As with most things in Flash, there are many different methods of accomplishing this. Which method you use is primarily determined by which server-side platform you are using. Let’s quickly take a look at some of the most popular options:

ColdFusion
One the most robust solutions for working with AMF is ColdFusion. This is not surprising as ColdFusion is an Adobe product and has built-in support for AMF throughout the technology. The main roadblock to using ColdFusion is that you need to have a web hosting provider that supports it. If you are about to choose a web host and you plan on doing a lot of Flash work, ColdFusion is definitely something that you should be looking in to.

BlazeDS
Adobe recently open-sourced the AMF specification along with BlazeDS, which is a free Java server-side technology for using AMF. Again, since this is an official Adobe technology, you can be sure that the AMF implementation is rock solid. Using BlazeDS requires a Java server, so if you have a typical LAMP setup, you will not be able to play with it.

LiveCycle Data Services
This is the most robust, scalable way of using AMF for Flash and Flex applications. This is the option to choose if you are building large enterprise applications. LiveCycle is very pricey however, and also needs to run on a Java server. These reasons put it out of reach for most non-enterprise applications.

AMFPHP
AMFPHP is a free open-source PHP implementation of AMF. The major benefit of AMFPHP is that it can run on the vast majority of web servers as the only requirement is that PHP is supported. There are actually other PHP implementations of AMF, but AMFPHP is by far the most popular. This will be the subject of my next couple of tutorials at gotoAndLearn().

Other Technologies
There are many other technologies out there that have implemented AMF. AMF.NET is an open source .NET AMF solution for Flash. Rubyamf is a Ruby implementation of AMF. Similar projects have sprouted up for Python and other languages.

AMF is far too large a topic for a single blog post. But the main thing to know is that it is a fast, binary protocol for exchanging data between your Flash movies and a server. Look for my tutorials on AMFPHP in the next week for some real-world examples. For those AMF geeks out there, please correct or add to my post in the comments

Lee

37 Comments