Application Security - Protecting the files from direct access

I am working on my application. I have a Flex app that
everyone will access but to do the work, I have it calling on
several PHP files. The Flex app has a login system and only allows
advanced functionality after login. This protects the Flex portion,
but does not really account for the PHP side of things.... The PHP
files do a variety of things, mostly SQL calls, but also run a few
system commands.
How do you set up the PHP files or use an htaccess file to
only allow the Flex app to call the PHP files? I'd like to set it
up so that the users can't directly access the PHP files. However,
I'm sure the client workstation is still making the request when
called by the Flex app, right?
Has anyone done this? Does anyone have any thoughts or
suggestions on this?
Thanks,
Chris

Hi csawall,
These are just some off the top ideas, you can extrapolate
and create a solution that might work:
Since the client has access to the data stream to/from the
server, there is no way to guarantee that someone won't use some
kind of sniffer program to find what file the flex app is talking
to, but that doesn't mean that you can't obfuscate it as much as
possible to make it not worth trying.
One idea was to use a single index and use _GET to control
what content is being served, using includes on the php side to
serve the proper file/content.
Since the content you are delivering I would assume requires
authentication, you'll have a unique session ID to work in. While
the actual php file could be accessed in real time if you watched
the data stream, if the user is already authenticated, what diff
does it make? Set up specific rules inside your php file, so that
it must receive data using a specific protocol, one that you can
obfuscate using crypt and base it on variables that are unique,
such as SSID + date + time, etc. When you first authenticate with
the server from the flex app, have the php login script return the
required protocol rules back to the flex app that would be unique
to the session. The _SESSION variables on the server would contain
the unique protocol rules as well. This gives you server side
control over talking to the flex app... then all you would need to
do, if you wanted to keep a tighter lid on the access to your
script, is just rotate the protocol from time to time.
Add on top of this, script name obfuscation that you store
server side and transfer only withing the validated session, such
as e.g. fstrs4adadst4_somefile.php etc etc, where your randomized
key is the prefix (or suffix whichever you prefer) of your index.
Your code of course would use the current protocol keys to match
the current index, and all you need do is control the .htaccess
file so that it relays any $_somefile.php to the proper
file/directory etc which would be a name that would never be
revealed to the public, and only used inside your .htaccess file or
on the server side itself.
Taking it a step further, if you create some kind of pulsing
authentication system using the above methods, you can rotate the
keys fast enough, so that someone would have to work really hard to
figure out the protocol to talk to your server
Just my 2 cents...
RFX

Similar Messages

  • Can't open files from an application by dragging the file from another window

    In Mac os x 10.6, i was able to to open a file by simply dragging it and placing it on the 'open' Window which automatically changes the location to where the dragged file is. Ever since updating to Lion, i'd have to go folder by folder from the 'Open' window until i get to where the file is and selecting it.
    i

    I tried it with so many applications Like When i'm sending a file via bluetooth, i tried opening a file with iTunes too by dragging to see if it'll work, it didn't. I tried uploading a Photo to facebook too by dragging it to the select photo window, it didn't work.

  • I download confidential info & save to a secured flash drive; how can I delete the file from "downloads" after that?

    I am a mental health professional. My supervisor emails me confidential information as Word documents, which I download using Firefox. When the download is complete, I open the document and save it to my secured flash drive. I would like to then delete the file from my computer, so the flash drive has the only copy, to protect my clients' privacy. The only directions I can find are for deleting the entry from the downloads list, but not the file itself.

    There is technology known as RMS which you could set series of policies like only members in the company could access certain documents and if someone copy them and attempt to run them in another PC or outside company, it won't work. Take a look at:
    http://blogs.technet.com/b/rms/archive/2013/08/29/the-new-microsoft-rms-is-live-in-preview.aspx
    https://technet.microsoft.com/en-us/library/dd277361.aspx

  • Problem while dowloading the file from Application Server

    Dear Experts,
                 I am facing the Problem while downloading the file from Application server.
    We done the automatic function while saving the invoice, this will create an idoc, and this idoc is written in the Application Server.
    I am running the Transaction AL11 and select the record, and from menu --> List, i am downloading into TXT format.
    But for some segments, the length is long, and so the last 3 to 4 fields values are not appearing in the File. Even though i am unable to view the values in the file before downloading. But i can view in IDOC.
    Please help me to solve this issue.
    Thanks & Regards,
    Srini

    but our user will use the Txn. AL11 and they will download from there
    Educate the user On a serious note, tell him this is not how data from app server should be downloaded. You can ask him to talk to the basis team to provide him access to the app server folder where the file is being stored.
    I can set the Variant and put this in background, But always the file name will be change, Like we use Time stamp in the File name.
    You can't automate this process by scheduling in BG mode. This is because the in BG mode you can't dwld the file to presentation server.
    Hope i'm clear.
    BR,
    Suhas

  • R12 - Secure/Protect the Electronic Payment File created for Bank

    We setup the Oracle Payables to Pay the suppliers electronically. We were able to create the electronic payment file in a standard US NACHA format after the setup. Now my question is, What are the various ways to secure or protect this file from being updated (not let any one modify it or change the numbers) before it is being uploaded to our Bank's server?
    Is there any standard process to achieve any kind of security to the file? Or Please let me know any other ways.
    Thanks,
    Munna

    Hi!
        It is not allow to save into the SAP SEVER path.
          After Exec payment I go to the "/edit/download",  in "File name"  I put the SAP SERVER PATH "/iface/data_out/comm"
    but It return "File /iface/data_out/comm/pagtro.txt could not be opened".
          It is allowed only if I drop into the windows path or in my micro.
         Do you know what configuration I need to do ?
    Thanks.

  • I transferred files from a NAS server to the Mac Mini Snow Leopard Server and now some of the files have Custom Access and can't  be opened by some users.  How do I fix this?

    We're setting up our Mac Mini Snow Leopard Server, and in the process transferred files that had been stored and accessed from our Blackarmor NAS server over to the Mac.  These files were all created on PC's and are Office Excel files, WordPerfect files or PDF's.  When you look at the files on the Mac from the Mac and bring up Get Info for the affected file, it says that the file has Custom Access.  The files that work properly don't have that configuration.  I can access and open the files on some computers, but some users can't open the files from their computer even though they can see it.  We're all using PC's and they get the Error:  Access Denied-Contact your administrator--or something similar.  I've seen on the web similar issues and it may have something to do with ACL permissions.  I don't know enough about Mac OS to understand this, but what is baffling is that they can be opened from some PC's but not others, and all of the Users have the same accessibility to the files.  Thanks for a solution!!

    Oh, on the losing Internet, try this...
    Make a New Location, Using network locations in Mac OS X ...
    http://support.apple.com/kb/HT2712
    10.7 & 10.8…
    System Preferences>Network, top of window>Locations>Edit Locations, little plus icon, give it a name.
    10.5.x/10.6.x/10.7.x instructions...
    System Preferences>Network, click on the little gear at the bottom next to the + & - icons, (unlock lock first if locked), choose Set Service Order.
    The interface that connects to the Internet should be dragged to the top of the list.
    Instead of joining your Network from the list, click the WiFi icon at the top, and click join other network. Fill in everything as needed.
    For 10.5/10.6, System Preferences>Network, unlock the lock if need be, highlight the Interface you use to connect to Internet, click on the advanced button, click on the DNS tab, click on the little plus icon, then add these numbers...
    208.67.222.222
    208.67.220.220
    Click OK.
    PS. Your English is quite good & completely understandable.

  • Regarding Reading the file from Application Server

    Hi,
    I am trying to read data from Application Server but due to special characters it is getting dumped out.
    US24,Q,Acero (Carbon),AA,0010,0001,01,Ver Mir para dimension#
    US24,Q,Acero (Carbon),AA,0010,0002,01,Area rectificada sin da#os ra
    US24,Q,Acero (Carbon),AA,0010,0003,01,Ver Mir para dimension#
    US24,Q,Acero (Carbon),CD,0010,0001,01,ITPE Soken para verificacion
    US24,Q,Acero (Carbon),CD,0010,0010,01,No se permite desprendimiento
    US24,Q,Acero (Carbon),CD,0010,0002,01,"Vernier, cinta metrica"#
    In the last line it is going into dump due to special character ".
    Please suggest.
    Thanks
    Priyanka.

    Hi,
    You can check the mode in which you are reading the file
    from application server that is
    Open Dataset in Binary or Text Mode.
    Hope it helps
    Regards
    Mansi

  • Error in Reading the file from Application Server

    Hi,
    This Error is regarding one of my interface, the issue is that , the interface reads data from file in bunch suppose 100 records at a time , then processes those records and once finished go for next 100 records .
    Noe the error is that , the process takes place till 500 records correctly but when it went to fetch for next 100 i.e fom 501 to 600 it selects only 501 to 583 .
    this records has been processed successfully but the job finished there only
    but the file contains 788 records
    When the same file has been run in other server it ran successfully without such error .
    Can you please suggest how to resolve the issue

    Hi,
    Try to manually download the file from application server using standard transactions, and than check how many records are you able to download from app. server.
    I guess there might be something wrong with the format of 583rd record, which makes sap assume that the file has come to an end.
    Hope this will help you.
    Regards,
    Vinit...

  • When using Time Machine, if I delete items from my computer, will they still be backed up to access later on my external hard drive? In other words, when time machine backs up again, will it delete the files from the back up?

    When using Time Machine, if I delete items from my computer, will they still be backed up to access later on my external hard drive? 
    In other words, when time machine backs up again, will it delete the files from the back up that I have deleted from my computer?

    No, I do not believe so. Time Machine would keep all those now-deleted files in previous backups, and as time goes by those backups might be deleted if you needed room, but it would still keep one backup from each day in last month, as well as one from each week forever, as long as you don't start running out of room, then just the oldest would be deleted to make room if needed.
    I use a backup drive about double the size of my drive to be backed up, so I would guess it will never get to the point where deleted files being replaced by new ones being backed fill up that drive to the point where backups actually have to get deleted.

  • Hello! I have the Acrobat XI test version installed, got the registration Mail and confirmed it. When i have the program opened and try to convert the file from a pdf to a word and press the convert button, it shows a the message "application failed" (in

    Hello! I have the Acrobat XI test version installed, got the registration Mail and confirmed it. When i have the program opened and try to convert the file from a pdf to a word and press the convert button, it shows a the message "application failed" (in german "Fehler bei der Anmeldung"). I hope have explained the issue on the right way with my bad english. Do you have a solution for it?? Best regards, Marcus Wenk

    yes, you are right. it is the adobe reader via exportPDF. but it should be the acrobat. it was written on the internetpage...

  • If i create a partition for Windows 7, and boot up in Windows using Boot Camp, can I still access the files from the Mac partition (Photo's Music etc.)

    If i create a partition for Windows 7, and boot up in Windows using Boot Camp, can I still access the files from the Mac partition (Photo's Music etc.)

    JDFitch wrote:
    Ok Great,
    Will installing Boot Camp drivers allow me to both read and write to the OS X Volume from windows?
    This is important as if it will it means i can make the windows partition a lot smaller and keep all my files on the OS X partition which would be preferable.
    Jon
    No, OSX will be read only (from Windows) and vice versa. (you can install 3rd party utilities on either or both partitions, to make read/write possible)

  • I need my application to be able to open a .pdf file which was previously synced to the iBooks PFDs Collection. I then wish to remove the file from the collection and send it to email.

    I need my application to be able to open a .pdf file which was previously synced to the iBooks PFDs Collection. I then wish to remove the file from the collection and send it to email.

    I opened one of the PDF files in notepad and these are the first couple lines:
    瀖ᕁމጿ␠씴豈䧉筩롈ꓳ劏ꎯ僪뚢頟뻏즏谀㿃夑퀉꟠鲲쮂⫉笿褡밤籞冁탁ӓ轸뿐笼ⵆ횰䄌ඁ淥ة寨闤⬅鳦팥링빨嬄敎უ婏㣴ً鮓ࣿꢚ㑀녲莒඼ိȆ䕇纍쉉籶뺝갞伐쮠᥏﯒넉釖ȓ겴☧ ἣ秵駻�䣞띰㖔流羀籔朼敨ꢉ糶당⬤俉膇䄐惡�ಹꛖ鍡恡ⱶᶜ�堷﹑ﱌ僿걄뎔æ䋷귪⛢⫐䅪䉙὿烶ꖆ႟ᗔ瘞狻틫儩六잶覱낵듘盋崾�ᦜ㺆௹뻹燴ឋ騙쬄ꏿ뽒煹�钼뇲腎稦ꃲ㈃沒ꔈ뺐뛽첑䘶畱䍣紻 ⁜哠鳾

  • How to allow image file uploading, but protect the directory from abuse?

    I have an upload facility that allows visitors to upload their personal image (aka avatar) to my client’s site. This required me to CHMOD the assets folder to 777 which leaves the folder wide open to abuse.
    Is there a way to allow the uploading of files but protect the directory from abuse?
    I could put the images in the database but I assume that would quickly drag down the performance of the (MySQL) database.
    Any ideas?!
    Thank you in advance,
    Glenn.

    This required me to CHMOD the assets folder to 777 which leaves the folder wide open to abuse.
    Only if the abuser can get an executable file of some sort into that folder.  If you are filtering the files during upload to select only image files then I think you are pretty safe.
    I could put the images in the database but I assume that would quickly drag down the performance of the (MySQL) database.
    Definitely - you would never want to store the images as blobs unless you had a compelling reason to do so.  It's much more forward thinking to just save the image filenames in the database, and link to them as needed.

  • Error: cannot read from the source file ....... the file cannot be accessed by the system. (Exception from HRESULT: 0x80070780)

    I have sync toy set up to sync my Skydrive with some folders on my local drive.
    I'm running windows 8.1, 64 bit
    I can copy files from my local drive to the Skydrve folder with no problems,
    but if I add files to my Skydrive, and then when Sync Toy runs it will not copy the files from Skydrive to the local drive and throws up the error in the title.
    I have tried changing permissions on both folder pairs with no luck.
    Any ideas?

    Try making the OneDrive files available offline.
    See
    http://windows.microsoft.com/en-gb/windows-8/onedrive-online-available-offline?woldogcb=0.

  • I want to take files from my PC (using a Seagate external hard drive) then plug this Seagate External hard drive into my Mac Book Pro and move the files from the Seagate External Hard drive onto my Time Capsule. I do not want to put these files on my Mac

    I want to take files from my PC (using a Seagate external hard drive) then plug this Seagate External hard drive into my Mac Book Pro and move the files from the Seagate External Hard drive onto my Time Capsule. I do not want to put these files on my Mac. How do I do this? Where do I put these files on my Time Capsule? Will it affect the functioning of my Time Capsule?

    Mixing files with data is not always great idea.
    See info here.
    Q3 http://pondini.org/TM/Time_Capsule.html
    Why not just connect the PC directly to the TC by ethernet and copy the files over?
    It is hugely faster and much less mucking around.
    In windows load the airport utility for windows.. if you have not already as this will help you access the drive.
    There is more info here.
    http://support.apple.com/kb/HT1331

Maybe you are looking for

  • Mac mini and hp laserjet 4 mplus

    Hi, I bought a mac mini (snow leopard)but i can not install the printer hp laserjet 4 mplus. I read somewhere that snow leopard doesn't support these old printers. Can you confirm this? If not: how can I install it?

  • GRC 10.0 - how to upload secondary approvers

    hi all, In my company we have 2 role approvers for each role. Any one of them can approve. We were able to successfully upload 1 role approver but 2nd we have to manually maintain going to each and every role, one at a time in GRC, which seems time c

  • Calling Stored Procedure problem

    Hi there, I got a little problem with a BizTalk solutions I am building with an Oracle DB (9i) as backend: I need to call a stored procedure which will export the data I need to get to an export-table. The call for the sp works fine but after the cal

  • HTMLB with CSS?

    Can I combime HTMLB and CSS? (i.e., I want to make sure that all the buttons across multiple pages have the same color etc.) It seems that combining HTMLB and CSS is not recommended because there hardly any documentation on this. So, is there a recom

  • SQL Developer Blocked and is not allowed to connect to database ORA-200001

    SQL Developer Blocked and is not allowed to connect to database gives ORA-200001. i found on net that DBA can write triggers which can deny connection to database from certain appplication. so i want a way to change application name so that when it c