I have a flash app on my website that calls certain php scripts on the server.
For example, I have a script that gets all items owned by the user of my flash game. The script returns a JSON encoded response consisting of a return code and a return message (the message in this case is an array of items). I call the php script from actionscript as follows:
var urlReq:URLRequest = new URLRequest("mysite.com/getItems.php");
urlReq.method = URLRequestMethod.GET;
var loader:URLLoader = new URLLoader();
loader.dataFormat = URLLoaderDataFormat.TEXT;
loader.addEventListener(Event.COMPLETE, onResponse);
loader.addEventListener(IOErrorEvent.IO_ERROR, networkError);
loader.load(urlReq);
However, one could also easily just navigate to mysite.com/getItems.php in their browser and they would see, providing they had an alive session, the JSON response right there in the browser. It makes me fairly uncomfortable considering it shows the format of my underlining transfer protocol.
Is there any way of ‘hiding’ my php scripts from direct browser access, whilst still having the script available when called from actionscript.
An easy way to do this would be to include a key as a GET parameter for the request in your app. Then in the php page, you only output the JSON if the value of
$_GET['key']is valid.Someone watching the traffic of your app would be able to extract this and use it in their browser for direct access, but a user advanced enough for that is likely to already see your JSON in their view of the app’s traffic.
You could extend things further and check the various client information reported to PHP via
get_browser()or$_SERVER['HTTP_USER_AGENT']but, once again, a skilled user would be able to overcome this check.