Try to use signed_request instead of sending plain facebookID's - then you can decode them on the server, using secret_id given on Facebook APP page. Then none will be able to send you "fake" queries, because they will fail to decrypt on server side.
For example, I have application which allows users vote on given entry. After user accept permissions I'm using JavaScript to send his vote to the server:
$.ajax({
type: "POST",
url: base_url + 'vote/send',
data: { signed_request: response.authResponse.signedRequest, vote:vote },
});
on the server side, i'm decoding signed_request to get user FacebookID and store it as legit vote... in that way, none is able to send me fake vote, because signed_request is encrytped with in the way, which only my app is able to decode it.
response of course is the object, which comes from SDK after user aprove permission to use app.