Security helper class.
Class declared in SYSPATH/classes/security.php on line 3.
string $token_namekey name used for token storage
string(14) "security_token"Check that the given token matches the currently stored security token.
if (Security::check($token))
{
// Pass
}
string
$token
required - Token to checkbooleanpublic static function check($token)
{
return Security::token() === $token;
}Encodes PHP tags in a string.
$str = Security::encode_php_tags($str);
string
$str
required - String to sanitizestringpublic static function encode_php_tags($str)
{
return str_replace(array('<?', '?>'), array('<?', '?>'), $str);
}Remove image tags from a string.
$str = Security::strip_image_tags($str);
string
$str
required - String to sanitizestringpublic static function strip_image_tags($str)
{
return preg_replace('#<img\s.*?(?:src\s*=\s*["\']?([^"\'<>\s]*)["\']?[^>]*)?>#is', '$1', $str);
}Generate and store a unique token which can be used to help prevent CSRF attacks.
$token = Security::token();
You can insert this token into your forms as a hidden field:
echo Form::hidden('csrf', Security::token());
And then check it when using Validation:
$array->rules('csrf', array(
'not_empty' => NULL,
'Security::check' => NULL,
));
This provides a basic, but effective, method of preventing CSRF attacks.
boolean
$new
= bool FALSE - Force a new token to be generated?stringpublic static function token($new = FALSE)
{
$session = Session::instance();
// Get the current token
$token = $session->get(Security::$token_name);
if ($new === TRUE OR ! $token)
{
// Generate a new unique token
$token = sha1(uniqid(NULL, TRUE));
// Store the new token
$session->set(Security::$token_name, $token);
}
return $token;
}