Mark Stosberg wrote:
So how might an implementation look?
I would either make the uuid the primary key (might affect performance since it's not an integer, but a string) or a unique key for the same table. Then you don't have anything else to keep track of (no extra tables, etc).
Every so often, the table could cleaned up via cron, (since we probably don't care about seeing the same UUID weeks apart, just seconds or minutes apart).
UUID's should never collide.
There is still room for a small race condition in between checking to see if we used the UUID and inserting it, but I think that may be acceptable.
If you're really worried about someone attacking you in this way then insert the record with the uuid first and then let them upload. If you don't find the uuid they are trying to upload to, then they changed it so just disallow the upload.
-- Michael Peters Plus Three, LP
