Protect script with user data?

Asked

Viewed 50 times

1

Currently on my page I load some scripts returned by PHP as follows:

$(".div").html($("<script />", {
     src: 'http://www.dominio.com/functions/dados.php?user='+xxxx+'&acao='+xxxx+''
}));

Inside.php data I’m already checking if the user is logged in, and if the id of the same corresponds to the GET user what so far works to prevent another user from trying to play Dora Aventureira by exploring the URL’s and end up encountering the content of another user, my doubts are:

  1. This would be the best method to protect the data of a given user?
  2. If not, how can I improve the call of this script and avoid using the even by Dora Aventureira users?

1 answer

2


No Authentication - Quick Fix

The user id can be a UUID, which is an identifier with almost zero chances of being duplicated or guessed manually.

Equivalent to the odds of Creating a few tens of trillions of Uuids in a year and having one Duplicate - Wikipedia.

It’ll look something like:

$(".div").html($("<script />", {
     src: 'http://www.dominio.com/functions/dados.php?user=1546058f-5a25-4334-85ae-e68f2a44bbaf&acao=qualquer_acao'
}));

Unfortunately there is no native PHP implementation, but you can try this class (source):

<?php
/**
 * UUID class
 *
 * The following class generates VALID RFC 4122 COMPLIANT
 * Universally Unique IDentifiers (UUID) version 3, 4 and 5.
 *
 * UUIDs generated validates using OSSP UUID Tool, and output
 * for named-based UUIDs are exactly the same. This is a pure
 * PHP implementation.
 *
 * @author Andrew Moore
 * @link http://www.php.net/manual/en/function.uniqid.php#94959
 */
class UUID
{
    /**
     * Generate v3 UUID
     *
     * Version 3 UUIDs are named based. They require a namespace (another 
     * valid UUID) and a value (the name). Given the same namespace and 
     * name, the output is always the same.
     * 
     * @param   uuid    $namespace
     * @param   string  $name
     */
    public static function v3($namespace, $name)
    {
        if(!self::is_valid($namespace)) return false;
        // Get hexadecimal components of namespace
        $nhex = str_replace(array('-','{','}'), '', $namespace);
        // Binary Value
        $nstr = '';
        // Convert Namespace UUID to bits
        for($i = 0; $i < strlen($nhex); $i+=2) 
        {
            $nstr .= chr(hexdec($nhex[$i].$nhex[$i+1]));
        }
        // Calculate hash value
        $hash = md5($nstr . $name);
        return sprintf('%08s-%04s-%04x-%04x-%12s',
        // 32 bits for "time_low"
        substr($hash, 0, 8),
        // 16 bits for "time_mid"
        substr($hash, 8, 4),
        // 16 bits for "time_hi_and_version",
        // four most significant bits holds version number 3
        (hexdec(substr($hash, 12, 4)) & 0x0fff) | 0x3000,
        // 16 bits, 8 bits for "clk_seq_hi_res",
        // 8 bits for "clk_seq_low",
        // two most significant bits holds zero and one for variant DCE1.1
        (hexdec(substr($hash, 16, 4)) & 0x3fff) | 0x8000,
        // 48 bits for "node"
        substr($hash, 20, 12)
        );
    }
    /**
     * 
     * Generate v4 UUID
     * 
     * Version 4 UUIDs are pseudo-random.
     */
    public static function v4() 
    {
        return sprintf('%04x%04x-%04x-%04x-%04x-%04x%04x%04x',
        // 32 bits for "time_low"
        mt_rand(0, 0xffff), mt_rand(0, 0xffff),
        // 16 bits for "time_mid"
        mt_rand(0, 0xffff),
        // 16 bits for "time_hi_and_version",
        // four most significant bits holds version number 4
        mt_rand(0, 0x0fff) | 0x4000,
        // 16 bits, 8 bits for "clk_seq_hi_res",
        // 8 bits for "clk_seq_low",
        // two most significant bits holds zero and one for variant DCE1.1
        mt_rand(0, 0x3fff) | 0x8000,
        // 48 bits for "node"
        mt_rand(0, 0xffff), mt_rand(0, 0xffff), mt_rand(0, 0xffff)
        );
    }
    /**
     * Generate v5 UUID
     * 
     * Version 5 UUIDs are named based. They require a namespace (another 
     * valid UUID) and a value (the name). Given the same namespace and 
     * name, the output is always the same.
     * 
     * @param   uuid    $namespace
     * @param   string  $name
     */
    public static function v5($namespace, $name) 
    {
        if(!self::is_valid($namespace)) return false;
        // Get hexadecimal components of namespace
        $nhex = str_replace(array('-','{','}'), '', $namespace);
        // Binary Value
        $nstr = '';
        // Convert Namespace UUID to bits
        for($i = 0; $i < strlen($nhex); $i+=2) 
        {
            $nstr .= chr(hexdec($nhex[$i].$nhex[$i+1]));
        }
        // Calculate hash value
        $hash = sha1($nstr . $name);
        return sprintf('%08s-%04s-%04x-%04x-%12s',
        // 32 bits for "time_low"
        substr($hash, 0, 8),
        // 16 bits for "time_mid"
        substr($hash, 8, 4),
        // 16 bits for "time_hi_and_version",
        // four most significant bits holds version number 5
        (hexdec(substr($hash, 12, 4)) & 0x0fff) | 0x5000,
        // 16 bits, 8 bits for "clk_seq_hi_res",
        // 8 bits for "clk_seq_low",
        // two most significant bits holds zero and one for variant DCE1.1
        (hexdec(substr($hash, 16, 4)) & 0x3fff) | 0x8000,
        // 48 bits for "node"
        substr($hash, 20, 12)
        );
    }
    public static function is_valid($uuid) {
        return preg_match('/^\{?[0-9a-f]{8}\-?[0-9a-f]{4}\-?[0-9a-f]{4}\-?'.
                      '[0-9a-f]{4}\-?[0-9a-f]{12}\}?$/i', $uuid) === 1;
    }
}
?>

When creating the user, put the ID as:

include 'UUID.php';
$id = UUID::v4();

Authentication

However, the most obvious way to prevent information theft is to add authentication to your system. Whether manually (registration and login created by you) or via Facebook and the like.

You will transform the page dados.php as private, requiring the data in the session, and then you can include it without the user ID, as the ID is identified on Session directly on dados.php.

$(".div").html($("<script />", {
     src: 'http://www.dominio.com/functions/dados.php?acao='+xxxx
}));
  • 1

    Very interesting the use of UUID was using random sequences to generate the ID of my users, but I will change, as for the script I liked the idea of authenticating inside the data page.php, thanks @Alfredbaudisch

Browser other questions tagged

You are not signed in. Login or sign up in order to post.