duanmorong9597 2009-10-29 05:01 采纳率: 100%
浏览 34
已采纳

在将用户传递给flash时隐藏用户的xml

We have a little in-house LMS with courses built in Flash. Scores are updated and retrieved with POSTs to PHP scripts which query a MySQL database. All the course content and quiz questions are in xml files. Those XML files are easily accessible from a user's Temporary Internet Files (sort of SCORM style, for those familiar with it) and while you'd have to be pretty desperate to cheat at something like a Fire Safety test, it's still a vulnerability we'd like to solve.

I intend to move the quiz data (and eventually, the course content) into a MySQL database, then probably build the XML in PHP and echo that to the Flash course (as we've been doing to update and retrieve assessment scores). I think I could limit how and when the xml is displayed by passing hashes and shared secrets and whatnot between the PHP page and Flash, but this only limits outside access, and anyone viewing the course legitimately will still see the XML passed around (I think..).

Surely I'm not reinventing fire here. Is there a method or a technology in existence that allows the safe, discrete passage of xml into Flash?

Edit: Ideally, I'd probably want to pass the questions and possible answers from MySQL to Flash, then pass the chosen answer back and do the marking server-side.. but time is money, and I'm looking for an answer that will require as little rebuilding of the flash framework as possible.

  • 写回答

1条回答 默认 最新

  • dtf54486 2009-10-29 17:47
    关注

    I used to work for a company that did flash-based web games with a similar concept to this. What we used to do is call the xml server from inside flash using ActionScript. The flash files were obfuscated with a commercial obfuscation tool (yes, flash files can be decompiled). You may not need to worry about that. As far as keeping the transfer data secure you could obfuscate it by base-64 encoding it or using some sort of light encryption so that the flash movie will decrypt it and process the content.

    Ultimately with packet sniffing tools (or even just firebug) you can see the request/response from your browser so really some sort of encryption/encoding is the best way to go. I would consider the tech-level of your audience and the level of motivation to cheat when you look into securing the data streams.

    Good luck.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 vika文档如何与obsidian同步
  • ¥15 华为手机相册里面的照片能够替换成自己想要的照片吗?
  • ¥15 陆空双模式无人机飞控设置
  • ¥15 sentaurus lithography
  • ¥100 求抖音ck号 或者提ck教程
  • ¥15 关于#linux#的问题:子进程1等待子进程A、B退出后退出(语言-c语言)
  • ¥20 web页面如何打开Outlook 365的全球离线通讯簿功能
  • ¥15 io.jsonwebtoken.security.Keys
  • ¥15 急,ubuntu安装后no caching mode page found等
  • ¥15 联想交换机NE2580O/NE1064TO安装SONIC