On Wed, 15 Oct 2008 13:51:21 -0400
Michael Peters <[EMAIL PROTECTED]> wrote:
> Mark Stosberg wrote:
>
> > At one point in the past I did a variation of this where we put the next ID
> > of
> > a related database sequence in the form, and this would become the new
> > primary
> > key when inserted, and it would of course not allow the same primary key to
> > be
> > used twice. That worked, but I realized was open to abuse if a user tweaked
> > the
> > number to be larger than the sequence. Then, eventually a legitimate user
> > would
> > eventually be assigned that value by the sequence, and it would fail.
> >
> > Are their specific modules that you recommend to help with this?
>
> You can try a UUID (look at Data::UUID). It's not sequential, but someone
> could still tweak the form to create a value that could potentially conflict
> with another value in the future. But I'd say it's much less likely than a
> sequential id.
So how might an implementation look?
We could create table of "form_uuids". Each time a form is submitted, we check
if the UUID we have is has already been used.
If not, we insert the new UUID and proceed.
Every so often, the table could cleaned up via cron, (since we probably don't
care about seeing the same UUID weeks apart, just seconds or minutes apart).
There is still room for a small race condition in between checking to see if we
used the UUID and inserting it, but I think that may be acceptable.
Mark
