Hiding xml from users while passing it into flash
We have a little in-house LMS with courses built in Flash. Scores are updated and retrieved with POSTs to PHP scripts which query a MySQL database. All the course content and quiz questions are in xml files. Those XML files are easily accessible from a user's Temporary Internet Files (sort of SCORM style, for those familiar with it) and while you'd have to be pretty desperate to cheat at something like a Fire Safety test, it's still a vulnerability we'd like to solve.
I intend to move the quiz data (and eventually, the course content) 开发者_运维百科into a MySQL database, then probably build the XML in PHP and echo that to the Flash course (as we've been doing to update and retrieve assessment scores). I think I could limit how and when the xml is displayed by passing hashes and shared secrets and whatnot between the PHP page and Flash, but this only limits outside access, and anyone viewing the course legitimately will still see the XML passed around (I think..).
Surely I'm not reinventing fire here. Is there a method or a technology in existence that allows the safe, discrete passage of xml into Flash?
Edit: Ideally, I'd probably want to pass the questions and possible answers from MySQL to Flash, then pass the chosen answer back and do the marking server-side.. but time is money, and I'm looking for an answer that will require as little rebuilding of the flash framework as possible.
I used to work for a company that did flash-based web games with a similar concept to this. What we used to do is call the xml server from inside flash using ActionScript. The flash files were obfuscated with a commercial obfuscation tool (yes, flash files can be decompiled). You may not need to worry about that. As far as keeping the transfer data secure you could obfuscate it by base-64 encoding it or using some sort of light encryption so that the flash movie will decrypt it and process the content.
Ultimately with packet sniffing tools (or even just firebug) you can see the request/response from your browser so really some sort of encryption/encoding is the best way to go. I would consider the tech-level of your audience and the level of motivation to cheat when you look into securing the data streams.
Good luck.
精彩评论