in PHP

AMFPHP Security Basics

As I mentioned in my last video tutorial on AMFPHP, I want to take a few minutes and talk about the steps you can take to make it as secure as possible. Most of what I’m going to share was taken from a blog post written by Wade Arnold. One important thing to note right off the bat is that I will be talking about security as it relates to AMFPHP 1.9 and higher. If you are using an earlier version you will want to check elsewhere for the details for you specific version. So without further adieu, here are the steps to better AMFPHP security:

Delete the Service Browser
If you’ve watched my tutorials you know that the Service Browser is that Flex application that allows you, or anyone else for that matter, to see all of the services and methods you have available. For obvious reasons you will want to delete this on your production machine. You don’t want random people seeing all the goodies that you have exposed. To get rid of it simply delete the browser folder that is located in your AMFPHP root directory.

Delete the DiscoveryService service
The DiscoveryService service is included when you install AMFPHP. When you go to the Service Browser for the first time you will see it as the one and only service. This service exposes methods that give all the details about the services and methods you have available. In that sense it is very much like the Service Browser itself and should be deleted for the same reasons. From your AMFPHP root directory, go into the services folder. From there either delete the entire amfphp folder or just the DiscoveryService.php file which is located inside of it.

Set the PRODUCTION_SERVER property
The PRODUCTION_SERVER property is located in the gateway.php file which is located in the root AMFPHP folder. This property is set to false by default but should be set to true in production environments. This will disable things like remote tracing and debugging headers. Open gateway.php and set the property like so:

//define("PRODUCTION_SERVER", false);
define("PRODUCTION_SERVER", true);

Run over SSL if possible
I’m definitely not a server geek so don’t ask me how you would do this. But the idea is that the data going back and forth between Flash and AMFPHP will not be plain text and this would of course make it much harder for people to be able sniff out the actual data.

Running the beforeFilter
In AMFPHP 1.9 there is a new feature which will allow you to authenticate the calling client to make sure they have the right access level to call the service. Basically you define a function in your service class named beforeFilter using the signature below:

public function beforeFilter($function_called)

This function will be called before your service method which was called by the client. If this function returns true, then the service method is called. If not, then a security error is thrown. It is inside this function that you can do some type of authentication. Joshua Ostrom has a nice blog post that goes into more details on this.

General PHP security
Since AMFPHP and all of the services you expose with it are nothing more than PHP files, you will want to familiarize yourself with some basic PHP security guidelines. Preventing SQL injection is one of the biggest areas that you need to make sure you protect against. There are many good articles on the web that explain how to prevent this attack. If you do a lot of PHP work, do yourself a favor and pick up a book like Essential PHP Security to make sure that you are being safe.


Write a Comment



  1. @RyanP: (assuming you meant to say MD5 instead of M5) the adobe corelib actually has both MD5 and SHA1 hash functions for encrypting strings. It’s actually very simple, something like:

    password = SHA1.hash(“thisismypassword”);

    @Lee: Thanks for all the AMFPHP tutorials lately! I actually jumped head first into AMFPHP a month or two ago for a new project. I had no previous experience with flash remoting this way – I was used to sending stuff via loadVars and xmlphpxml nonsense. Needless to say, I fell into love with AMFPHP after just a few tutorials, and have since added flash remoting to just about every one of my websites.

    I can’t wait until v2.0 gets out of beta. It’s been there for a minute…

    Thanks again for the amfphp coverage, and I hope the next venture is with pureMVC ( ;)

  2. hey lee, i have a quick question, i have been using AMFPHP for a while now, and never wanted to make the change to 1.9 version because i had the impression it was under BETA and that it still was BUGGY, has this affected your work in any way?, i am guessing its not going to be upgraded to version 2.0 until the ZEND thing gets live, so what should i do?, i really would like to have AMF3 in my services, but would hate to see my applications fail

  3. I did some testing with the amfphp versus normal php/xml – and so far my results show that the normal xml solution works faster than amfphp!!! How large do my projects have to be, in order for amfphp to be the better solution – any of you have experience with this?
    (I tested with a timer – and recorded the time it took to load and parse the data)

  4. if you are not logging in to a back end through flash / flex, why do you need to use SSL to secure this?

    i guess what i mean is if you were calling a php script directly you would get back all of the data output by the script (e.g. the output isn’t hidden). the only difference is that when using AMFPHP, the output data is encapsulated in AMF format.

    so if we do NOT login to our apps and simply return sql select data, why do we need SSL? if so, what *specific* data are we hiding via encryption?

    using SSL where it’s not needed is a real performance hog. it also is an extra admin issue and if you want it to be transparent, is going to cost you some extra money to implement.


  5. Thanks a lot for your tutorials, especially about SWFObject and amfphp which are really usefull (flashvars made me save so much time).

    Can’t wait for your next tutorials.

    Thanks again!

  6. Hi.

    I am trying to write to a db from flash. I can do it with the GET URLRequestMethod, but not with POST method. What could I be doing wrong? Is there a better AMFPHP way of writing to a db?


  7. Thanks for the tuts. Some of them really opened my mind.
    I’ve been experimenting with swx for the last couple of weeks and this provided me the data I required, as an alternative for the usual amfphp.
    (Ever tried swx as a data format?)
    What would be really helpful is a demonstration/tutorial of the communication between an open source cms (like drupal, wordpress,…) that puts the data in the database and flash that makes the calls for pictures, data and other stuff in order to build a website. I’ve been searching the net for a while and this is not easy to find. Especially multiple calls for different kinds of data.
    Thanks in advance.

  8. It looks like some folks have figured out how to tie amfphp into joomla here:

    I’m very new to all of this so I have no idea how to make it work. If anyone has any success could they post it? I’d like to pick your brain and find out how to set this up. It could make Flash CMS soooo much easier.

  9. Well I don’t know whats wrong, but as soon I do everything you posted here my app stops working….
    Anyone with the same problem??

    Lee, you are a flash god!
    Thank you for sharing your knowledge!
    been following your tuts since the beginning!

    greetings to all!

  10. >> Delete the Service Browser

    >> Delete the DiscoveryService service

    Why don’t put .htaccess files in these two folders (services/amfphp and /browser) ?

  11. Hello,

    I have install amfphp on the server production
    As you tell on your blog :
    – I delete the Service Browser
    – I delete the DiscoveryService service
    – I Set the PRODUCTION_SERVER property
    – I set the htaccess as :
    #php_flag display_errors on
    #php_flag display_startup_errors on
    #php_value error_reporting 2047
    SetEnv PHP_VER 5

    and when i go i can see the contain of the folders so anyone else can also see all the folder.

    I don’t want people seeing all the folder, how i can change this situation.

    Best regards.

  12. Hello Pierre,

    As I already said, all people only need to open gateway.php, so you can put an file called .htacces in the AMFPHP folder (upload test.htacces with ftp client/online file manager and rename it to .htacces when it’s uploaded)

    The code of the .htacces file is:

    order allow,deny
    deny from all

    allow from all

    or you can use .htpasswd, so you need a username + password to view this folder:

    order allow,deny
    AuthType Basic
    AuthName “Authenticate to view amfphp folder”
    AuthUserFile “location/.htpasswd”
    require valid-user

    allow from all

    This is fully safe! People can’t read these files.

    Here you can create for example a htpasswd file:

    Most server control panels also has a feature to create these files.

    Sorry Lee, but I think my way is better than yours xD

    Kind regards,


  13. Oh my! Some of the tags were removed by the blog system, silly you :P!

    [al] =

    First .htacces (withouth authentication):

    order allow,deny
    deny from all
    [al]Files “gateway.php”[ar]
    allow from all

    Second .htacces (with authentication):

    order allow,deny
    AuthType Basic
    AuthName “Authenticate to view amfphp folder”
    AuthUserFile “location/.htpasswd”
    require valid-user
    [al]Files “gateway.php”[ar]
    allow from all

  14. Exuse-me, and now I have made a fault: it’s not .htacces, but .htaccess. Hope you understand it after all the errors/mistakes, if not, I’ll explain it again.

  15. Well, I changed the .htaccess with authentication (username + password) a bit:

    AuthName “This is a protected directory”
    AuthType Basic
    AuthUserFile location/to/your/.htpasswd
    [al]limit GET POST[ar]
    require valid-user

    [al]Files “gateway.php”[ar]
    satisfy any

    Now it should work! Hope you’ve fun with it!

  16. Why I can’t access to the files outside of the amfphp folder?

    I have one GlobalProvider class inside amfphp/services/ and inside that Class I have a funtion which read all files and folders from folder “files”.

    Folder files is located inside root direcotry but I cant acess to that folder. I can access just to the files and folder which are located in amfphp folder.

  17. Which changes shall i do in gateway.php ,in order to get data both in Greek and English.
    I am asking this because i have a DB in which i store cities with greek and English names. When i call the data back through a simple php file (e.g cities.php) i can read in my browser both the cities in English and Greek.
    But when i make a service (e.g mycities.php) and try to get the data in Service Browser, i can see only the cities in English. The cities in Greek appear in questionmarks.

    Is there a way to solve the problem?

  18. Thanks for this and your video tutorials on getting up and running with AMFPHP, Lee!
    I had a service set up and running in Flex in no time. However, in Flash CS4 I get the following error:

    description : The class {Amf3Broker} could not be found under the class path {/amfphp/services/amfphp/Amf3Broker.php}
    line : 33
    details : /amfphp/core/shared/app/BasicActions.php
    level : User Error

    Why would it work in Flex but not Flash? Googling Amf3Broker, btw, yields very little.
    Thanks for all you give to the community!

  19. I have been testing in the Flash IDE which accesses my gateway.php file over the internet. I would now like to turn off all remote access to gateway.php so that only server located swfs can access the gateway. I assumed that setting PRODUCTION_SERVER to true in gateway.php would accomplish this. After doing this I can still access the gateway.php from the flash IDE which isn’t supposed to be allowed with this flag set to true. Any help would be greatly appreciated.


  20. @CJ
    I’m pretty sure the PRODUCTION_SERVER flag is only used to permit remote debugging. There’s no such thing as an .swf that runs “on the server” unless you’re running it locally. Flash files always run on the client machine, whether in a browser or in the IDE. If you’re talking about trying to check that the .swf was loaded from the same domain as your php file, there’s no guaranteed way to do it; but you can check the headers coming into PHP to see what the HTTP_REFERER was. Although that can be spoofed.

  21. What you say makes sense now that I think about it. But I didn’t just come up with this on my own. This piece of code exists in the gateway.php:

    //Disable profiling, remote tracing, and service browser
    // Keep the Flash/Flex IDE player from connecting to the gateway. Used for security to stop remote connections.

    That one comment says it will keep the IDE and remote connections from connecting to the gateway. Guess it’s lying?

  22. Has anybody gotten the beforefilter to work when calling from flash using a NetConnection object? It seems to work great when testing from the amfphp service browser, but NetConnection doesn’t appear to create a persistent connection, so after a call to login(), it seems to close the connection which erases the fact that we’re authenticated. A subsequent call to another function will then fail with a message saying the function call was blocked by the before filter. If I look in the debugger, after calling the NetConnection.connect() function, the connected flag in the NetConnection object is ‘false’ which I’m assuming is the root problem here.

    If anybody has found a way around this, please let me know.

  23. I am also having trouble getting the beforefilter to work from Flash – has anybody including the author gotten this to work?

  24. I am also having trouble getting the beforefilter to work from Flash – has anybody including the author gotten this to work?

  25. good article my friend the fact that we’re authenticated. A subsequent call to another function will then fail with a message saying the function

  26. Hello all ,

    I test one AMFPHP application , when i use endpoint=”http://localhost/amfphp/gateway.php” it works fine but then i change localhost to ‘’ I get the following error “[RPC Fault faultString=”Send failed” faultCode=”Client.Error.MessageSend” faultDetail=”Channel.Security.Error error Error #2048: Security sandbox violation: http://localhost/AMFconnect-debug/AMFconnect.swf cannot load data from url: ‘'”]” can someone help me ????

  27. Sorry Floris, but I don’t see how .htaccess / .htpasswd helps you here as your flash will need to know a valid username/password to access gateway.php (and flash can be decompiled or without SSL you simply sniff the traffic). Flash is inherently unsafe in this regard, because it runs on client side