Raymond Camden's Blog Rss

FlashVars in Flex

10

Posted in Flex | Posted on 12-11-2006 | 8,562 views

As a developer on the receiving end of Flash files, I've gotten used to dealing with FlashVars as a way to configure a Flash application. I've wondered how I'd do this in Flex though. Joao Fernandes sent me some sample code and showed me the way.

Consider this simple Flex page:

view plain print about
1<?xml version="1.0" encoding="utf-8" ?>
2<mx:Application xmlns:mx="http://www.adobe.com/2006/mxml" layout="absolute" xmlns:comp="components.*">
3    
4    <mx:Script>
5    <![CDATA[
6    import mx.controls.Alert;
7    
8    private function test():void {
9        Alert.show(this.parameters.flashvar1+' '+this.parameters.flashvar2, "Flashvars");    
10    }
11    ]]>
12    </mx:Script>
13    
14    <mx:Button id="btnTest" label="Test" click="test()" />
15    
16</mx:Application>

Note the this.parameters? This lets me get access to the flashvars. I named them flashvar1 and flashvar2 which isn't very creative. Obviously it could be any name. To pass the variables in you can simply edit the generated HTML.

view plain print about
1"flashvars",'flashvar1=ray&flashvar2=camden&historyUrl=history.htm%3F&lconid=' + lc_id + '',

Don't forget that each Flex project has an HTML template. It would make sense to edit the template so you don't have to re-edit the generated HTML after each build.

This should help take care of the "root CFC" issue I mentioned a week or so ago.

Comments

[Add Comment] [Subscribe to Comments]

todd sharp said on 12-11-2006 at 3:47 PM #
Excellent - this will come in handy. Do you know if you could pass an entire struct (object) as a var and then access it as this.parameters.keyName?
Raymond Camden said on 12-11-2006 at 3:50 PM #
My understanding is that flashvars only allow simple values, like url query strings. Even if you _could_ make it work, I would not. That level of complexity really deserves a "real" HTTP type call, not being put into the HTML, know what I mean?

That's my opinion anyway.
todd sharp said on 12-11-2006 at 3:57 PM #
Agreed. I was thinking more along the lines of passing in the session struct, but I see your point.
JesterXL said on 12-11-2006 at 5:04 PM #
Since I'm a client guy, and usually pawn security concerns off to you server-side dudes, perhaps you could either A) determine if something like CFQueryparam is necessary in situations in this for security reasons and B) if it is, perhaps convert it to AS3? It'd be h@wt!
Raymond Camden said on 12-11-2006 at 5:06 PM #
Jester, I'm not quite sure cfqueryparam makes sense here, unless I'm misunderstanding you. In the past, I've only used flashvars for things that are not security related.
JesterXL said on 12-11-2006 at 5:20 PM #
I've seen some pretty neat uses of FlashVars in Flex 1.5. The problem was that it dropped those values on _level0 (main scope back then) and I never really heard of anyone doing anything to ensure that those values were valid and inspected.

Obviously, if you have that stuff on the server-side, that you can hack the client to to your heart's content, and not worry, but just curious; it seems MORE security is better than just the same. For example, using FlashVars to show data:

somerecord=recordA

Back in 1.5, you'd have somerecord defined for you on in your main Flex Application file. There is nothing stopping the user, at least from what I've seen, from doing the same thing they do in attempting to expose regular sites by injecting bad things into the params; the whole reason CFQueryparam (or whatever that tag is called) was invented in the first place; to ensure safe, acceptable query parameters. Flex, in both versions, doesn't appear to make a distinction. It just seems people would take this for granted. The dangers of messing with Application level variables is gone now that they are sequested in the parameters property, but it still seeems pretty easy to pass whatever I want if someone takes no steps client side to project it.

Obviously, if they have the server-side portion, there isn't much I can do, but still I've never seen client side code implementations match up exactly with server-side, so seems to be to still be a valid concern.

Make sense, or still not a big deal?
Raymond Camden said on 12-11-2006 at 8:28 PM #
Ah - so if I read you right - you are saying that in the AS code, you should treat the flashvars just like you would treat a URL variable in CF. Ie - don't trust it. If you wanted a number, check to sdee that it is a number, greater than zero, etc. Are we on the same page?
James Holmes said on 12-12-2006 at 6:55 AM #
The Flex-Ajax bridge is another thing you should look at:

http://labs.adobe.com/wiki/index.php/Flex_Framewor...

http://flexapps.macromedia.com/flex2beta3/fabridge...
JesterXL said on 12-12-2006 at 11:40 AM #
I guess. I've just never really had to handle worrying about data integrity and security before. Most clients I create are presentation layers that leave all the security & verification to the back-end. So, when I first started messing with FlashVars in Flex 1.5, it was the first time I had to start worrying about security, that's all. Apparently, it seems liek a valid concern, for example inspecting that your data truly is "somewhat" valid. Was hoping for a cop-out answer, saying that "no, you don't have to worry about it.". Oh well!
prabaharan said on 11-21-2011 at 7:59 AM #
hi, I need to pass flashvars from parent swf to child swf. is it possible?

[Add Comment] [Subscribe to Comments]