I'm going to use SWFObject to embed a Flash object in my page and pass variables. Can a user spoof those variables?

i am wanting to know how much I can be sure that users of my website will not be able to pass bogus variables to my Flash movie. Basically I will have some features available to certain users and I realise that for the average user they will not know anything about how to send spoof vars but is it possible for someone to change the variables sent using SWFObject when a page loads and thus be able to use the functionality that I am trying to disable for them.

I have a PHP (my_flash_movie.php) page that calls a function from an included globals.php file to determine if the user can see the restricted functionality - is_user_a_subscriber($_SESSION['user_id']); which returns 1 or 0. This 1 or 0 is then passed to Flash which enables or disables certain features. I dont want someone to be able to send a 1 instead of a 0 basically. This isnt a site where security is开发者_JAVA技巧 critical and the functionality that is disabled is not really critical either so wouldnt be too bad if this happened but im just curious about this and wondering if I should think of another way to pass these vars that might be more hidden.

If someone is able to do this (pass spoof variables) how would they do it?

cheers

How do you pass the 0/1 value to the Flash movie? If you do it in URL or any parameters that are included in HTML then the user will always be able to spoof it. Even if you hide the fact that there even is a parameter to pass (eg. not pass anything for disabled features and pass a special value to enable it) any motivated user will still be able to decompile your Flash and discover it. The most reasonable thing you could do is not send this functionality to users that you don't want to have it in the first place. You would basically have to provide two Flash files. If the user gets a file with the functionality removed altogether he won't be able to easily turn it on. Though still anyone who gets the full functionality will be able to give the file or url to other people but if that's ok then it might be enough for your needs.

As far as I know, you can't attach external variables from other domains (or subdomains), unless You use crossdomain.xml on both sites.

Learn more at http://kb2.adobe.com/cps/142/tn_14213.html

Maybe you would have a more secure site if you cut out the middleman and had Flash speak directly to PHP.