Flash RSS Reader Pg.12

source: http://www.thegoldenmean.com

12 — Proxy Script Revisited

A More Secure Proxy Script

Updated Material April, 2005
Please note: For those of you with hosting provided by DreamHost, the Proxy script originally presented on this page will no longer work due to DreamHost’s decision (which I agree with I guess) to disable the potential security risk caused by PHP functions that enable including content from remote domains including, among other functions, the readfile() function the original Proxy uses. I think I have a suitable replacement using cURL, (shown immediately following this paragraph). It is new and not thoroughly tested, so use at your own risk. It does appear to both a) work (assuming your ISP supports cURL) and b) meet DreamHost security requirements. Tell me if you encounter any problems. Please read this extremely helpful blog page by Jr Conlin for a very good discussion about the security advantages of cURL. Here is the new rssProxy.php code:


$feedURL = $_POST['rss'];
$feedURL = trim($feedURL);

$ch = curl_init($feedURL);
$result = curl_exec($ch);
echo $result;


Following is the original discussion of the rssProxy.php script I presented prior to the April 2005 DreamHost change. It is interesting to note that the script which follows went to considerable lengths to minimize the security risk readfile() introduced. DreamHost (and I presume others too) dealt with the issue more decisively! However, if your web host does not support cURL and does permit readfile(), the original script (which the rest of this page discusses) should work fine.

Recall that on page Three of this tutorial I covered developing a PHP proxy script and mentioned the need for a more secure version. As we have completed the Flash movie we are at the point where we can conclude the tutorial by enhancing the proxy script.

I mentioned my reservations about the security provided by the HollowCube proxy at the gurusnetwork forum, and PHP guru DmS arrived at a version that is at least one notch more secure than anything I had.

The risk is that someone could too easily divert the proxy script to a URL containing a malicious script. One barrier to this hijacking is to inform the proxy script what the approved URLs are, allow it to compare the URL being requested and only read files whose URLs match an item in the approved list.

How can the proxy script get the approved list? One solution is that it can also load the feedList.xml file which was written for the Flash menu and extract the URLs from that. Following is the complete PHP proxy script:


//code credit DmS, www.dmsproject.com

$feedURL = $_POST['rss'];
$feedURL = trim($feedURL);

//verify that this request is okay
if(verifyLink($feedURL)) {
  //if it clears, proceed to read the remote document

function verifyLink($requestedURL) {

  //locate the XML file containing the Flash menu data
  //if your XML file has a different name or location, modify $path
  $path = './feedList.xml';
  //start by assuming this request is a hoax
  $authorized = false;
  //use file() to populate an array with $path, line by line
  $approvedList = file($path);
  //loop through every item in $approvedList array
  foreach($approvedList as $url) {
    //using the $url enumerator, compare items in $approvedList
    //against the requested URL ($feedURL). If a match is found,
    //it's okay; otherwise don't permit the request
    if(strstr ($url, $requestedURL)) {
      $authorized = true;
    return $authorized;


For the benefit of those who like me are somewhat mystified by PHP:

To summarize this script, we can say that the requested URL will not be read unless it matches one existing in the menu list. And the protocol for addressing the proxy script now is POST. These changes mean you can’t, for instance, mess with the proxy by typing the following directly into the address bar of your browser:




That’s reasonably good security, and on that note this tutorial concludes!

The final page of this tutorial wraps things up, provides links to a few Flash rss readers for inspiration and summarizes the resources used.

go to page: 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13
divider ornament