Modules

  1. Kohana
    2. Debug
    3. HTTP_Cache
    4. I18n
    5. Kohana
    6. Kohana_Config_Writer
    7. Request
    8. Request_Client
    9. Request_Client_Curl
    10. Request_Client_External
    11. Request_Client_HTTP
    12. Request_Client_Internal
    13. Request_Client_Stream
    14. Response
    15. Route
    16. UTF8
    17. View
    18. Configuration
      1. Config
      2. Config_File
      3. Config_Group
      4. Kohana_Config_File_Reader
      5. Kohana_Config_Reader
      6. Kohana_Config_Source
    19. Controller
      1. Controller
      2. Controller_Template
      3. Controller_Welcome
    20. Exceptions
      1. HTTP_Exception
      2. HTTP_Exception_300
      3. HTTP_Exception_301
      4. HTTP_Exception_302
      5. HTTP_Exception_303
      6. HTTP_Exception_304
      7. HTTP_Exception_305
      8. HTTP_Exception_307
      9. HTTP_Exception_400
      10. HTTP_Exception_401
      11. HTTP_Exception_402
      12. HTTP_Exception_403
      13. HTTP_Exception_404
      14. HTTP_Exception_405
      15. HTTP_Exception_406
      16. HTTP_Exception_407
      17. HTTP_Exception_408
      18. HTTP_Exception_409
      19. HTTP_Exception_410
      20. HTTP_Exception_411
      21. HTTP_Exception_412
      22. HTTP_Exception_413
      23. HTTP_Exception_414
      24. HTTP_Exception_415
      25. HTTP_Exception_416
      26. HTTP_Exception_417
      27. HTTP_Exception_500
      28. HTTP_Exception_501
      29. HTTP_Exception_502
      30. HTTP_Exception_503
      31. HTTP_Exception_504
      32. HTTP_Exception_505
      33. HTTP_Exception_Expected
      34. HTTP_Exception_Redirect
      35. Kohana_Exception
      36. Request_Client_Recursion_Exception
      37. Request_Exception
      38. Session_Exception
      39. UTF8_Exception
      40. Validation_Exception
      41. View_Exception
    21. HTTP
      1. HTTP
      2. HTTP_Header
      3. HTTP_Message
      4. HTTP_Request
      5. HTTP_Response
    22. Helpers
      1. Arr
      2. Cookie
      3. Date
      4. Feed
      5. File
      6. Form
      7. Fragment
      8. HTML
      9. Inflector
      10. Num
      11. Profiler
      12. Task_Help
      13. Text
      14. URL
      15. Upload
    23. Logging
      1. Log
      2. Log_File
      3. Log_StdErr
      4. Log_StdOut
      5. Log_Syslog
      6. Log_Writer
    24. Minion
      1. Minion_Exception
      2. Minion_Exception_InvalidTask
    25. Models
      1. Model
    26. Security
      1. Encrypt
      2. Security
      3. Valid
      4. Validation
    27. Session
      1. Session
      2. Session_Cookie
      3. Session_Native
  2. Kohana/Auth
    2. Auth
    3. Auth_File
    4. Auth_ORM
    5. Model_Auth_Role
    6. Model_Auth_User
    7. Model_Auth_User_Token
    8. Model_Role
    9. Model_User
    10. Model_User_Token
  3. Kohana/Cache
    2. Cache
    3. Cache_Apc
    4. Cache_Arithmetic
    5. Cache_Exception
    6. Cache_File
    7. Cache_GarbageCollect
    8. Cache_Memcache
    9. Cache_MemcacheTag
    10. Cache_Sqlite
    11. Cache_Tagging
    12. Cache_Wincache
  4. Kohana/Codebench
    2. Codebench
    3. Controllers
      1. Controller_Codebench
    4. Tests
      1. Bench_ArrCallback
      2. Bench_AutoLinkEmails
      3. Bench_DateSpan
      4. Bench_ExplodeLimit
      5. Bench_GruberURL
      6. Bench_LtrimDigits
      7. Bench_MDDoBaseURL
      8. Bench_MDDoImageURL
      9. Bench_MDDoIncludeViews
      10. Bench_StripNullBytes
      11. Bench_Transliterate
      12. Bench_URLSite
      13. Bench_UserFuncArray
      14. Bench_ValidColor
      15. Bench_ValidURL
  5. Kohana/Database
    2. DB
    3. Database
    4. Database_Expression
    5. Configuration
      1. Config_Database
      2. Config_Database_Reader
      3. Config_Database_Writer
    6. Drivers
      1. Database_MySQL
      2. Database_MySQLi
      3. Database_PDO
    7. Exceptions
      1. Database_Exception
    8. Models
      1. Model_Database
    9. Query
      1. Database_Query
      2. Database_Query_Builder
      3. Database_Query_Builder_Delete
      4. Database_Query_Builder_Insert
      5. Database_Query_Builder_Join
      6. Database_Query_Builder_Select
      7. Database_Query_Builder_Update
      8. Database_Query_Builder_Where
    10. Query/Result
      1. Database_MySQL_Result
      2. Database_MySQLi_Result
      3. Database_Result
      4. Database_Result_Cached
    11. Session
      1. Session_Database
  6. Kohana/Image
    2. Image
    3. Drivers
      1. Image_GD
      2. Image_Imagick
  7. Kohana/ORM
    2. ORM
    3. ORM_Validation_Exception
  8. Kohana/UnitTest
    2. Unittest_Database_TestCase
    3. Unittest_Tests
  9. Kohana/Userguide
    2. Kodoc
    3. Kodoc_Class
    4. Kodoc_Markdown
    5. Kodoc_Method
    6. Kodoc_Method_Param
    7. Kodoc_Property
    8. Controller
      1. Controller_Userguide
    9. Undocumented
      1. Kodoc_Missing
  10. [Unknown]
    2. Minion_CLI
    3. Minion_Task
    4. Unittest_Helpers
    5. Unittest_TestCase
    6. Unittest_TestSuite

Kohana_Security

This class is a transparent base class for Security and should not be accessed directly.

Security helper class.

package
Kohana
category
Security
author
Kohana Team
copyright
© 2007-2012 Kohana Team
license
http://kohanaframework.org/license

Class declared in SYSPATH/classes/Kohana/Security.php on line 11.

Constants

  • None

Properties

Methods

Properties

public static string $token_name

key name used for token storage

string(14) "security_token"

Methods

public static check( string $token ) (defined in Kohana_Security)

Check that the given token matches the currently stored security token.

if (Security::check($token))
{
    // Pass
}

Parameters

  • string $token required - Token to check

Tags

Return Values

  • boolean

Source Code

public static function check($token)
{
	return Security::slow_equals(Security::token(), $token);
}

public static encode_php_tags( string $str ) (defined in Kohana_Security)

Encodes PHP tags in a string.

$str = Security::encode_php_tags($str);

Parameters

  • string $str required - String to sanitize

Return Values

  • string

Source Code

public static function encode_php_tags($str)
{
	return str_replace(array('<?', '?>'), array('&lt;?', '?&gt;'), $str);
}

public static slow_equals( string $a , string $b ) (defined in Kohana_Security)

Compare two hashes in a time-invariant manner. Prevents cryptographic side-channel attacks (timing attacks, specifically)

Parameters

  • string $a required - Cryptographic hash
  • string $b required - Cryptographic hash

Return Values

  • boolean

Source Code

public static function slow_equals($a, $b) 
{
	$diff = strlen($a) ^ strlen($b);
	for($i = 0; $i < strlen($a) AND $i < strlen($b); $i++)
	{
		$diff |= ord($a[$i]) ^ ord($b[$i]);
	}
	return $diff === 0; 
}

public static strip_image_tags( string $str ) (defined in Kohana_Security)

Remove image tags from a string.

$str = Security::strip_image_tags($str);

Parameters

  • string $str required - String to sanitize

Return Values

  • string

Source Code

public static function strip_image_tags($str)
{
	return preg_replace('#<img\s.*?(?:src\s*=\s*["\']?([^"\'<>\s]*)["\']?[^>]*)?>#is', '$1', $str);
}

public static token( [ boolean $new = bool FALSE ] ) (defined in Kohana_Security)

Generate and store a unique token which can be used to help prevent CSRF attacks.

$token = Security::token();

You can insert this token into your forms as a hidden field:

echo Form::hidden('csrf', Security::token());

And then check it when using Validation:

$array->rules('csrf', array(
    array('not_empty'),
    array('Security::check'),
));

This provides a basic, but effective, method of preventing CSRF attacks.

Parameters

  • boolean $new = bool FALSE - Force a new token to be generated?

Tags

Return Values

  • string

Source Code

public static function token($new = FALSE)
{
	$session = Session::instance();

	// Get the current token
	$token = $session->get(Security::$token_name);

	if ($new === TRUE OR ! $token)
	{
		// Generate a new unique token
		if (function_exists('openssl_random_pseudo_bytes'))
		{
			// Generate a random pseudo bytes token if openssl_random_pseudo_bytes is available
			// This is more secure than uniqid, because uniqid relies on microtime, which is predictable
			$token = base64_encode(openssl_random_pseudo_bytes(32));
		}
		else
		{
			// Otherwise, fall back to a hashed uniqid
			$token = sha1(uniqid(NULL, TRUE));
		}

		// Store the new token
		$session->set(Security::$token_name, $token);
	}

	return $token;
}