Macromedia Studio 8 [Electronic resources] : Training from the Source نسخه متنی

Improving the Security of the Application

The application is fully functional. Still, a rather obvious security problem exists as the application currently stands. The ColdFusion scripts on dante_quiz_results.cfm that insert the data into the database and output the scores on the page both depend on the URL variables. However, the address in the URL is fully editable!

The page reloads with the new data, and sure enough, your victim has been added to the database with a score of 0.

[View full size image]

You need to find some way to get this data out of the URL.

Do you remember the earlier discussion about GET versus POST in the information about forms? With GET, data is submitted as a querystring via the URL; with POST, data is submitted in a way that it's invisibleand not editableto the user. Ideally, we could submit the data from Flash using POST, rather than as a querystring. We can.

[View full size image]

Flash opens, with the FLA file already active. If you're prompted to choose a file, choose dante_quiz.fla. This is a convenient shortcut. After Flash opens, you'll see a Done button in the top-left corner. When you're finished making changes to the file, click this button. Flash will regenerate a new SWF file and also save the FLA.

getURL("dante_quiz_results.cfm");

Now, no variables will be sent, which is not what you want. But you don't want the variables passed through the URL, so you'll have to remove them from the URL.

The getURL() method, like many Flash methods, has optional parameters in addition to its required parameter (the URL itself). The two optional parameters are target and variables. The target parameter enables you to specify which browser window you want to open the requested URL. The default is the same window that called the file, or _self. If you don't specify a parameter, Flash assumes you mean _self as the target. The other parameter, variables, causes Flash to send all the variables on the timeline to the requested URL as part of the request. The variables parameter has only two options: GET and POST. You should recall the discussion about GET and POST earlier in a book, but as a quick review, GET sends the variables in the URL, while POST sends the variables as form data. So to retrieve data sent via GET in ColdFusion, you use #url.myVariable#, and to retrieve data sent via POST, you use #form.myVariable#. POST is the option you want.

The only catch is that in order to specify this variables parameter, you also have to specify the target parameter, even though the default (_self) is fine.

[View full size image]

getURL("dante_quiz_results.cfm", "_self", "POST");

Don't misspell anything or leave out any commas or quotes.

Again, this line will send all the variables on the main timeline to dante_quiz_results.cfm, using POST.

[View full size image]

The SWF file is re-exported and the FLA is saved. Unfortunately, the SWF is not uploaded to the server, so you'll have to upload the SEF manually.

One more change is necessary. The file dante_quiz_results.cfm is expecting two URL variables: username and score. You even created bindings for them. But they won't be available any more. Instead, they'll be available as form variables. You'll need to update dante_quiz_results.cfm, or you'll get errors.

Dreamweaver now knows the data will be there, but the page is still looking for the wrong data.

You've taken care of the <cfoutput> blocks. But don't test the file yet; remember there are two more places inside the <cfquery> block where the URL variable is used.

[View full size image]

Now the query will use available data as well.

[View full size image]

This time, when you get to the last page of the quiz, the username and score are both displayed and inserted into the database, but you can't edit them via the URL.

[View full size image]

The project is finished, and now you have a good idea of the basic structure of dynamic sites with Flash interfaces. As you get more serious about Flash front-ends for database-driven sites, be sure to check out some of the data-passing techniques not discussed in this beginner's introduction, especially the loadVars object in Flash andif you want to go all the wayFlash Remoting, which enables you to work with ColdFusion and other middleware business logic much more robustly.

For the final part of the book, you'll learn to set up your site for Contribute users to maintain, so you don't have to do everything by yourself!