Currently on my page I load some scripts returned by PHP as follows:
$(".div").html($("<script />", {
src: 'http://www.dominio.com/functions/dados.php?user='+xxxx+'&acao='+xxxx+''
}));
Within data.php I am already checking if the user is logged in, and if the id of it corresponds to the GET user what so far works to prevent another user from trying to play Dora the Explorer exploring the URL's and end up encountering the content of another user, my doubts are:
The user id can be a UUID, which is an identifier with almost nil chances of being duplicated or guessed manually.
Equivalent to the odds of creating a few tens of trillions of UUIDs in a year and having one duplicate - Wikipedia .
It will look something like:
$(".div").html($("<script />", {
src: 'http://www.dominio.com/functions/dados.php?user=1546058f-5a25-4334-85ae-e68f2a44bbaf&acao=qualquer_acao'
}));
Unfortunately there is no native implementation in PHP, but you can try this class ( source ):
<?php
/**
* UUID class
*
* The following class generates VALID RFC 4122 COMPLIANT
* Universally Unique IDentifiers (UUID) version 3, 4 and 5.
*
* UUIDs generated validates using OSSP UUID Tool, and output
* for named-based UUIDs are exactly the same. This is a pure
* PHP implementation.
*
* @author Andrew Moore
* @link http://www.php.net/manual/en/function.uniqid.php#94959
*/
class UUID
{
/**
* Generate v3 UUID
*
* Version 3 UUIDs are named based. They require a namespace (another
* valid UUID) and a value (the name). Given the same namespace and
* name, the output is always the same.
*
* @param uuid $namespace
* @param string $name
*/
public static function v3($namespace, $name)
{
if(!self::is_valid($namespace)) return false;
// Get hexadecimal components of namespace
$nhex = str_replace(array('-','{','}'), '', $namespace);
// Binary Value
$nstr = '';
// Convert Namespace UUID to bits
for($i = 0; $i < strlen($nhex); $i+=2)
{
$nstr .= chr(hexdec($nhex[$i].$nhex[$i+1]));
}
// Calculate hash value
$hash = md5($nstr . $name);
return sprintf('%08s-%04s-%04x-%04x-%12s',
// 32 bits for "time_low"
substr($hash, 0, 8),
// 16 bits for "time_mid"
substr($hash, 8, 4),
// 16 bits for "time_hi_and_version",
// four most significant bits holds version number 3
(hexdec(substr($hash, 12, 4)) & 0x0fff) | 0x3000,
// 16 bits, 8 bits for "clk_seq_hi_res",
// 8 bits for "clk_seq_low",
// two most significant bits holds zero and one for variant DCE1.1
(hexdec(substr($hash, 16, 4)) & 0x3fff) | 0x8000,
// 48 bits for "node"
substr($hash, 20, 12)
);
}
/**
*
* Generate v4 UUID
*
* Version 4 UUIDs are pseudo-random.
*/
public static function v4()
{
return sprintf('%04x%04x-%04x-%04x-%04x-%04x%04x%04x',
// 32 bits for "time_low"
mt_rand(0, 0xffff), mt_rand(0, 0xffff),
// 16 bits for "time_mid"
mt_rand(0, 0xffff),
// 16 bits for "time_hi_and_version",
// four most significant bits holds version number 4
mt_rand(0, 0x0fff) | 0x4000,
// 16 bits, 8 bits for "clk_seq_hi_res",
// 8 bits for "clk_seq_low",
// two most significant bits holds zero and one for variant DCE1.1
mt_rand(0, 0x3fff) | 0x8000,
// 48 bits for "node"
mt_rand(0, 0xffff), mt_rand(0, 0xffff), mt_rand(0, 0xffff)
);
}
/**
* Generate v5 UUID
*
* Version 5 UUIDs are named based. They require a namespace (another
* valid UUID) and a value (the name). Given the same namespace and
* name, the output is always the same.
*
* @param uuid $namespace
* @param string $name
*/
public static function v5($namespace, $name)
{
if(!self::is_valid($namespace)) return false;
// Get hexadecimal components of namespace
$nhex = str_replace(array('-','{','}'), '', $namespace);
// Binary Value
$nstr = '';
// Convert Namespace UUID to bits
for($i = 0; $i < strlen($nhex); $i+=2)
{
$nstr .= chr(hexdec($nhex[$i].$nhex[$i+1]));
}
// Calculate hash value
$hash = sha1($nstr . $name);
return sprintf('%08s-%04s-%04x-%04x-%12s',
// 32 bits for "time_low"
substr($hash, 0, 8),
// 16 bits for "time_mid"
substr($hash, 8, 4),
// 16 bits for "time_hi_and_version",
// four most significant bits holds version number 5
(hexdec(substr($hash, 12, 4)) & 0x0fff) | 0x5000,
// 16 bits, 8 bits for "clk_seq_hi_res",
// 8 bits for "clk_seq_low",
// two most significant bits holds zero and one for variant DCE1.1
(hexdec(substr($hash, 16, 4)) & 0x3fff) | 0x8000,
// 48 bits for "node"
substr($hash, 20, 12)
);
}
public static function is_valid($uuid) {
return preg_match('/^\{?[0-9a-f]{8}\-?[0-9a-f]{4}\-?[0-9a-f]{4}\-?'.
'[0-9a-f]{4}\-?[0-9a-f]{12}\}?$/i', $uuid) === 1;
}
}
?>
When creating the user, put the ID as:
include 'UUID.php';
$id = UUID::v4();
However, the most obvious way to prevent information theft is to add authentication to your system. Either manually (registration and login created by you) or via Facebook and the like.
You will transform the page dados.php to private, requiring the data in the session, and then you can include it without the user ID, since the ID is identified in the session directly in dados.php .
$(".div").html($("<script />", {
src: 'http://www.dominio.com/functions/dados.php?acao='+xxxx
}));