Prevention against hacking

Good suggestion. I have been playing with this a bit. The new 'live preview' features generates the widget completely from a URL and doesn't access the database. The widget information in the URL is encoded using base64_encode. As I implement more features, one-way encryption may be used.

I am no longer building widgets from the URL. Everything is checked against the database. I am using md5() to encrypt some of the widget information. If the encrypted widget information matches the widget in the database, it is loaded. It should be very difficult to decrypt the md5 hash since the hashed string is a serialized array and contains several special characters.

Widget URL's now look like this: http://deviable.com/widgets/embed-widgets/embed/iframe/1-8060c935a728bae...

This should be adequate.

Ok, I have continued to improve on encoding the widget ID in the URL. Here is what I have currently come up with:

/**
 * Encode widget information to be placed securely in a URL.
 *
 * @param $embed_widget
 *   An array of widget data.
 * @return
 *   The encoded widget data as a string or FALSE if encoding failed.
 */
function embed_widgets_encode($embed_widget) {
  global $cookie_domain, $base_path;
  $salt = substr($cookie_domain, 1);
  // Make sure the data is an array containing embed widget.
  if (is_numeric($embed_widget['wid']) && isset($embed_widget['settings'])) {
    $encoded_widget = strlen($embed_widget['wid']) . '-' . substr_replace(urlencode(crypt($embed_widget['wid'] . $base_path, $salt)), $embed_widget['wid'], 7, strlen($embed_widget['wid'])) . base64_encode($cookie_domain);
    if ($embed_widget['cache_id']) {
      $encoded_widget .= '-' . $embed_widget['cache_id'];
    }
    return $encoded_widget;
  }
  return FALSE;
}

/**
 * Decode widget information from a URL.
 *
 * @param $encoded_widget
 *   Encoded widget information as a string.
 * @return
 *   An array of widget information or FALSE if data did not validate.
 */
function embed_widgets_decode($encoded_widget) {
  global $cookie_domain, $base_path;
  $salt = substr($cookie_domain, 1);
  // Decode widget.
  list($length, $hash, $cache_id) = split("-", $encoded_widget);
  if ($cache_id) {
    // Load from cache.
    $cache = cache_get('embed_widgets_' . $cache_id);
    $embed_widget = isset($cache->data) ? $cache->data : array();
  }
  else {
    $wid = substr($hash, 7, $length);
    $embed_widget = embed_widgets_load($wid);
  }
  if (substr_replace(urlencode(crypt($embed_widget['wid'] . $base_path, $salt)), $embed_widget['wid'], 7, $length) . base64_encode($cookie_domain) == $hash) {
    return $embed_widget;
  }
  return FALSE;
}

The encryption uses the PHP crypt() function to hash the widget ID along with the base path. The hash is salted with the first two or first eight characters of the cookie domain, depending on the server's encryption. The widget ID is then inserted into the 7th character in the hash. The length of the widget ID is pre-pended so that the ID can be found in the hash. An encoded version of the entire cookie domain is appended. Using $base_path makes certain that a unique encrypted ID is generated when more than one Drupal installations are running from the same domain, but different path. Appending the encoded $cookie_domain guarantees that domains that begin with the same two (or eight) characters won't generate the same ID since most Drupal installations run from the base path '/'.