Here's one for ya..
Date: 07/12/06
(PHP Community) Keywords: php, xml
I'll *try* to make this short and sweet without getting into too much gory detail.
I'm working on some Flash games (as best I can call them). Player results stay recorded in an XML file which is written and modified by PHP scripts, called by Flash when game results are in. The method Flash uses to send this data to PHP is via GET or POST. Upon receiving the data, the PHP script reads and writes to an XML file that's been reserved for that user. Easy enough so far. No worries. Got that mastered. But here's the trick...
A script to access this PHP script must be in a visible directory in order for Flash to call it. In watered down terms, the user is calling it via Flash. But obviously I can't allow a user to DIRECTLY invoke the script. So how the heck can one decipher between Flash appropriately calling the script or a user trying to directly invoke what is basically the "gateway" to their stored XML info? I don't care so much as whether a user was able to see the XML, I just don't want illegal ability to write to it!
Unlike my past encounters wish such issues, I don't believe there's an environmental variable to assist. For instance, HTTP_REFERER (which you shouldn't depend on anyway) has a null value when Flash invokes these scripts (hence one of the reasons it's not reliable. LOL)
I'm sure this type of issue has been resolved somehow. But I can't seem to find any solutions online. Or maybe I'm trying to tackle this is a completely wrong way? Anyone ever had to deal with a similar issue?
The only thought I've had is somehow coming up with some kind of scrambled identifier that PHP can send to flash at the beginning of the script that is then translated before any send() data is given to the PHP XML writing script. But those can easily be hacked through id comparisons if one is so inclined to use a packet sniffer :)
Source: http://community.livejournal.com/php/469422.html