No Authentication - Quick Fix
The user id can be a UUID, which is an identifier with almost zero chances of being duplicated or guessed manually.
Equivalent to the odds of Creating a few tens of trillions of Uuids in a year and having one Duplicate - Wikipedia.
It’ll look something like:
$(".div").html($("<script />", {
src: 'http://www.dominio.com/functions/dados.php?user=1546058f-5a25-4334-85ae-e68f2a44bbaf&acao=qualquer_acao'
}));
Unfortunately there is no native PHP implementation, but you can try this class (source):
<?php
/**
* UUID class
*
* The following class generates VALID RFC 4122 COMPLIANT
* Universally Unique IDentifiers (UUID) version 3, 4 and 5.
*
* UUIDs generated validates using OSSP UUID Tool, and output
* for named-based UUIDs are exactly the same. This is a pure
* PHP implementation.
*
* @author Andrew Moore
* @link http://www.php.net/manual/en/function.uniqid.php#94959
*/
class UUID
{
/**
* Generate v3 UUID
*
* Version 3 UUIDs are named based. They require a namespace (another
* valid UUID) and a value (the name). Given the same namespace and
* name, the output is always the same.
*
* @param uuid $namespace
* @param string $name
*/
public static function v3($namespace, $name)
{
if(!self::is_valid($namespace)) return false;
// Get hexadecimal components of namespace
$nhex = str_replace(array('-','{','}'), '', $namespace);
// Binary Value
$nstr = '';
// Convert Namespace UUID to bits
for($i = 0; $i < strlen($nhex); $i+=2)
{
$nstr .= chr(hexdec($nhex[$i].$nhex[$i+1]));
}
// Calculate hash value
$hash = md5($nstr . $name);
return sprintf('%08s-%04s-%04x-%04x-%12s',
// 32 bits for "time_low"
substr($hash, 0, 8),
// 16 bits for "time_mid"
substr($hash, 8, 4),
// 16 bits for "time_hi_and_version",
// four most significant bits holds version number 3
(hexdec(substr($hash, 12, 4)) & 0x0fff) | 0x3000,
// 16 bits, 8 bits for "clk_seq_hi_res",
// 8 bits for "clk_seq_low",
// two most significant bits holds zero and one for variant DCE1.1
(hexdec(substr($hash, 16, 4)) & 0x3fff) | 0x8000,
// 48 bits for "node"
substr($hash, 20, 12)
);
}
/**
*
* Generate v4 UUID
*
* Version 4 UUIDs are pseudo-random.
*/
public static function v4()
{
return sprintf('%04x%04x-%04x-%04x-%04x-%04x%04x%04x',
// 32 bits for "time_low"
mt_rand(0, 0xffff), mt_rand(0, 0xffff),
// 16 bits for "time_mid"
mt_rand(0, 0xffff),
// 16 bits for "time_hi_and_version",
// four most significant bits holds version number 4
mt_rand(0, 0x0fff) | 0x4000,
// 16 bits, 8 bits for "clk_seq_hi_res",
// 8 bits for "clk_seq_low",
// two most significant bits holds zero and one for variant DCE1.1
mt_rand(0, 0x3fff) | 0x8000,
// 48 bits for "node"
mt_rand(0, 0xffff), mt_rand(0, 0xffff), mt_rand(0, 0xffff)
);
}
/**
* Generate v5 UUID
*
* Version 5 UUIDs are named based. They require a namespace (another
* valid UUID) and a value (the name). Given the same namespace and
* name, the output is always the same.
*
* @param uuid $namespace
* @param string $name
*/
public static function v5($namespace, $name)
{
if(!self::is_valid($namespace)) return false;
// Get hexadecimal components of namespace
$nhex = str_replace(array('-','{','}'), '', $namespace);
// Binary Value
$nstr = '';
// Convert Namespace UUID to bits
for($i = 0; $i < strlen($nhex); $i+=2)
{
$nstr .= chr(hexdec($nhex[$i].$nhex[$i+1]));
}
// Calculate hash value
$hash = sha1($nstr . $name);
return sprintf('%08s-%04s-%04x-%04x-%12s',
// 32 bits for "time_low"
substr($hash, 0, 8),
// 16 bits for "time_mid"
substr($hash, 8, 4),
// 16 bits for "time_hi_and_version",
// four most significant bits holds version number 5
(hexdec(substr($hash, 12, 4)) & 0x0fff) | 0x5000,
// 16 bits, 8 bits for "clk_seq_hi_res",
// 8 bits for "clk_seq_low",
// two most significant bits holds zero and one for variant DCE1.1
(hexdec(substr($hash, 16, 4)) & 0x3fff) | 0x8000,
// 48 bits for "node"
substr($hash, 20, 12)
);
}
public static function is_valid($uuid) {
return preg_match('/^\{?[0-9a-f]{8}\-?[0-9a-f]{4}\-?[0-9a-f]{4}\-?'.
'[0-9a-f]{4}\-?[0-9a-f]{12}\}?$/i', $uuid) === 1;
}
}
?>
When creating the user, put the ID as:
include 'UUID.php';
$id = UUID::v4();
Authentication
However, the most obvious way to prevent information theft is to add authentication to your system. Whether manually (registration and login created by you) or via Facebook and the like.
You will transform the page dados.php
as private, requiring the data in the session, and then you can include it without the user ID, as the ID is identified on Session directly on dados.php
.
$(".div").html($("<script />", {
src: 'http://www.dominio.com/functions/dados.php?acao='+xxxx
}));
Very interesting the use of UUID was using random sequences to generate the ID of my users, but I will change, as for the script I liked the idea of authenticating inside the data page.php, thanks @Alfredbaudisch
– Leo Letto