Overwriting Global Variables

From FlashSec

In ActionScript 2 there were the infamous _root and _global variables which all could be overwritten with the request if not initialized and checked properly. That means the request parameters became global inside the movie (for example: With http://host/movie.swf?var1=val1, var1 automatically became _root.var1). A very stupid AS2 example:

class StupidExample {
static var app : StupidExample;
    function StupidExample() {
        _root.createTextField("tf",0,0,0,300,300);
        if (_root.sometext == undefined) {
            _root.tf.text = "Some text!";
        } else {
            _root.tf.text = _root.sometext;
        }
    }
    static function main(mc) {
        app = new StupidExample();
    }
}

In ActionScript 3 this is not possible anymore. The _root and _global variables are removed and all request parameters now stored in the loaderInfo.parameters object as name-value pairs that represent the parameters provided to the loaded SWF file. The two sources of parameters are: the query string in the URL of the main SWF file, and the value of the FlashVars HTML parameter.

There are also no variables with global scope in AS3 by default (if a developer needs those, he must create it on his own). The variables in loaderInfo.parameters object can be still overwritten but they are only exist inside this object. An easy example how to access request variables in AS3:

package {
    import flash.display.Sprite;
    public class RequestParamsExample extends Sprite {
        public function RequestParamsExample() {
            showParams();
        }
        private function showParams():void {
            for ( var theVar:String in this.loaderInfo.parameters ) {
                var theVal:String = this.loaderInfo.parameters [theVar];
                trace("VAR: " + theVar);
                trace("VAL: " + theVal);
            }
        }
    }
}