Flash Security for Variables?

  • TsX
  • Graduate
  • Graduate
  • User avatar
  • Posts: 167

Post 3+ Months Ago

I have a variable inside of a flash movie (it is retrieved from a php file), is that variable secure from being viewed? Is it even possible to make "manual" changes to variables, or view variables that are not printed out in the movie?

Novice to Flash Actionscript :)
  • lostinbeta
  • Guru
  • Guru
  • User avatar
  • Posts: 1402
  • Loc: Philadelphia, PA

Post 3+ Months Ago

No it isn't possible for a viewer to manipulate variables within a flash from from outside of the Flash file. Unless they decompile it for themselves, but even so it doesn't effect the movie on your server so you have nothing to worry about.
  • joebert
  • Fart Bubbles
  • Genius
  • User avatar
  • Posts: 13504
  • Loc: Florida

Post 3+ Months Ago

Variables placed on the _root timeline are over-ridable via the url that embeds the swf in a page, or accessing the swf directly in a web browser.
Code: [ Select ]
src="Untitled-1.swf?one=overridden"

This includes text fields using variables instead of instance names.

Text fields using instance names are NOT accessable via "textfield.text", variables contained within a movieclip are NOT accessable either.

Rule of thumb, if the variable requires a . (dot) to get accessed from _root you can NOT access that variable through the querystring.

Saving grace, they have to know the exact name of the variable to access it, which brings us to the decompilation lostinbeta mentioned.
  • lostinbeta
  • Guru
  • Guru
  • User avatar
  • Posts: 1402
  • Loc: Philadelphia, PA

Post 3+ Months Ago

joebert wrote:
Variables placed on the _root timeline are over-ridable via the url that embeds the swf in a page, or accessing the swf directly in a web browser.


Yes they are, but that has to be coded into the page (either hard coded or using PHP query string), so while it is possible for the author to overwrite them by adding that into a page, it is impossible for a viewer to manipulate the variable using that method.
  • joebert
  • Fart Bubbles
  • Genius
  • User avatar
  • Posts: 13504
  • Loc: Florida

Post 3+ Months Ago

Unless they are able to access the swf directly.

Example,
http://www.joebertvision.net/fun/emoticon_slots.html
http://www.joebertvision.net/fun/emotic ... f?cash=999
  • lostinbeta
  • Guru
  • Guru
  • User avatar
  • Posts: 1402
  • Loc: Philadelphia, PA

Post 3+ Months Ago

Ah, good point.

But I guess if it was important in a case like that you could always do a check. like
Code: [ Select ]
if (variable > defaultAmount) variable = default amount;
  • joebert
  • Fart Bubbles
  • Genius
  • User avatar
  • Posts: 13504
  • Loc: Florida

Post 3+ Months Ago

That would work pretty well, probably better than the "joy" of referencing all crucial variables from a container living in _root.

I wonder how the Flash compilers would deal with declaring variables twice,
First time via - var variable:Type = value;
Then another section without the var in front directly below.
Code: [ Select ]
var one:Number = 1;
var two:Number = 2;
var three:Number = 3;

one = 1;
two = 2;
three = 3;
  1. var one:Number = 1;
  2. var two:Number = 2;
  3. var three:Number = 3;
  4. one = 1;
  5. two = 2;
  6. three = 3;

In performance terms I'd think a compiler would want to omit the re-declaration if the values were identical.
hmmm. I think I'll try it real quick. :P
  • joebert
  • Fart Bubbles
  • Genius
  • User avatar
  • Posts: 13504
  • Loc: Florida

Post 3+ Months Ago

Three textfields on the stage,

One with variable name "one"
Another with instanceName "_two"
A last one with the instanceName of "_three"

Acompanying AS2,
Code: [ Select ]
/* Commenting this line out allows the textbox "one" to get over-ridden via querystring, removing the comment seems to stop it */
//one = 'One';


/* Type casted variables of AS2 seem to be exempt from the querystring, neither of theese next two are allowing me to over-ride */

var two:String = 'Two';
two = 'Two';
_two.text = two;

var three:String = 'Three';
_three.text = three;
  1. /* Commenting this line out allows the textbox "one" to get over-ridden via querystring, removing the comment seems to stop it */
  2. //one = 'One';
  3. /* Type casted variables of AS2 seem to be exempt from the querystring, neither of theese next two are allowing me to over-ride */
  4. var two:String = 'Two';
  5. two = 'Two';
  6. _two.text = two;
  7. var three:String = 'Three';
  8. _three.text = three;

Interesting find about AS2 to say the least. :scratchhead:

//edit - I wonder if there's some sort of "varname:Querystring =" syntax now.
  • lostinbeta
  • Guru
  • Guru
  • User avatar
  • Posts: 1402
  • Loc: Philadelphia, PA

Post 3+ Months Ago

So apparently AS2.0 doesn't have the same import vulnerability as MX. You can't import a variable that already exists on the _root timeline.

At least that's what I'm getting from your example if I understand correctly (MX user here). And if indeed it is the case that you can't overwrite a variable that exists no :QueryString type would be required because variables can apparently be imported through query strings, unless they are already defined on the timeline.

But I guess var names for textboxes don't count for that.

Very odd.


[EDIT]
Just ran the test in MX... The same results happen. If the var is defined on the _root timeline you can't import via query string. And just as your test... if it is a textbox with a var name, it can be overwritten. So it absolutely has to be defined on the frame. You can still have the textbox with a var name, but you have to assign it's default value on the frame and not inside the textbox.
[/EDIT]
  • joebert
  • Fart Bubbles
  • Genius
  • User avatar
  • Posts: 13504
  • Loc: Florida

Post 3+ Months Ago

I'm tempted to break out a book on Java to see just how many similarities there are, first thing I thought of when viewing AS2 for the first time was "This looks like Java syntax."

Based on the abundance of Java involved in Macromedias backend applications I guess it would make sense to bring the client-side language closer.

Can't help but wonder a little more about why Macromedia decided to "sell out" to Adobe.
  • lostinbeta
  • Guru
  • Guru
  • User avatar
  • Posts: 1402
  • Loc: Philadelphia, PA

Post 3+ Months Ago

Yeah, that's what a friend of mine said when I showed her AS2.0... she was like 'wow this is like Java'...lol.

I know AS1.0 was based off ECMAScript, which is what JavaScript 1.x is based off of. That's how I learned ActionScript, because I knew JavaScript first.

AS2.0 however is based off of ECMAScript Edition 4 proposal, which is what Javascript 2.0 will be based off of and will be pulling ECMAScript closer to Java style coding.

So basically while AS1 is almost like JavaScript, AS2 is almost like Java.
  • TsX
  • Graduate
  • Graduate
  • User avatar
  • Posts: 167

Post 3+ Months Ago

wow...

(lol, I would post only that, but its sort of spamming. I understand most of this, but I'll be reading it over again)

Post Information

  • Total Posts in this topic: 12 posts
  • Users browsing this forum: No registered users and 5 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.