XML file no longer loading - AS 2
Okay, here's the scoop.
I built a flash user management system that allows a user to be added and associated with a file.
Ex. User Bob, Password BJones, File BJones.swf
When the page loads, you are greeted by a login screen. The admin credentials are stored in the main swf itself. All other logins are parsed from the XML file by the main swf. If you put in the admin credentials, you see current users, you can add or remove a user, or view the log. If you put in a set of working credentials at the login, it moves to a different frame that displays the swf associated with that login.
This has been working BEAUTIFULLY for at least 4 months. All of a sudden, two days ago, the XML file zeroed out (0 bytes, completely empty). Easy enough, replace the XML with one that I used for testing initially. Did that, and it's not loading any of the information in. I can't log in with that test info, the admin screen shows none of the test info, and I can no longer add a user (write to the file). The permissions on the folder has not changed from read/write access. Tried uninstalling flash player 10, installed 8, no change. I'm at a loss for words. Any ideas? Thanks in advance!
It's not clear to me how you are writing xml from Flash - I guess you care calling a php, perl, asp or .net script from Flash, passing data in a POST variable?
Is this all on a remote server? It sounds possible that perhaps the server admin has noted users writing to your user credential xml file, is concerned about the security aspects of this, and has changed the way the server handles xml (no longer allowing it to be written to via the swf file, with whatever permissions that has) ; or that someone has found a way to hack your server and alter the xml file.
If everything still works fine locally (on your own machine) but not on your live remote server, it might be time to get on to your web host's tech support.
Of course you know that many people think that Flash does not really offer a secure environment, and letting people log in using credentials stored in a publicly viewable swf (or any other publicly accessible file) poses a potential threat, as does allowing users (in this case the admin user) effectively to write to the server via a Flash interface does pose a risk. If someone hacks your main swf and has your admin login details, they can control your write to xml functions. You could see why a sys admin might be concerned, and might change server setup for protection.
As far as writing to the XML, I call a sendAndLoad to a php script. The password is "encrypted" within the swf before being written to the XML file, so all passwords in the xml are garble. This is all being hosted through our web hosting, as it's a function of our website. I don't have a web server internal to test it on. I spent an hour on the phone with the tech support for the web hosting, as they were the only person I could think to blame. They did their best to skate all fault.
As far as security, how can I get around the hosted admin interface? The staff managing the system barely knows how to use the start menu, let alone editing an XML document to add a new user. It's not like we're hosting patient information. I just want to give clients access to read a document without being able to save or print it. If there's an easier way to accomplish that, I'd appreciate the advice.
It does sound a little as if someone has got hold of your admin login details. (Disgruntled former user? Are the details written down somewhere in a public office? Are you using an easy to guess password?)
Or maybe someone cracked your swf's actionscript?
Either way, it seems someone has probably logged in as admin and deleted all your users. If tech support know nothing about it, it probably wasn't them. So how can you get your system back running, and prevent the same thing happening again?
It seems like your system ran OK for a good while: your damage may have been just random vandalism rather than a more personal attack.
As you don't need this system to be very secure, maybe you could reset your admin password (and perhaps username), and try again, maybe getting your php script not just to write the new xml file on update but also to create a copy either stored locally, out of the public web area of your server (and a new copy each write, so that you have backup whatever happens), or e-mailed to you.
If you think it probably wasn't someone shoulder surfing or otherwise getting your password some low-tech way, there are a few tools that attempt to encrypt or scramble swfs so that they are harder to crack.
Of course if you just want to control access to a document, you could put in in an htaccess protected directory, and control the users / passwords yourself ...
We did just "release" an employee who had access, so it perhaps was an act of vandalism. We made a list of passwords to change and it was not on that list. The username and password are both different now, so we'll see what happens. I had thought about the backup, but I wasn't thinking about writing a new file every time, which is a much better idea. I was thinking, "but if the files corrupt, and backed up, it will overwrite the good backup." I'll implement that right away. Thanks for your insight. It really helped to talk it out. I wasn't even thinking about my ex-coworker.
I'm still confused as to why it wasn't working with a known xml file Thursday and Friday, and I come in yesterday and it works fine...Well, who cares, it's working now.
Merry Christmas and a Happy New Year!