Security helper class.
Class declared in SYSPATH/classes/Security.php on line 3.
string
$token_namekey name used for token storage
string(14) "security_token"
Check that the given token matches the currently stored security token.
if (Security::check($token))
{
// Pass
}
string
$token
required - Token to checkboolean
public static function check($token)
{
return Security::slow_equals(Security::token(), $token);
}
Encodes PHP tags in a string.
$str = Security::encode_php_tags($str);
string
$str
required - String to sanitizestring
public static function encode_php_tags($str)
{
return str_replace(array('<?', '?>'), array('<?', '?>'), $str);
}
Compare two hashes in a time-invariant manner. Prevents cryptographic side-channel attacks (timing attacks, specifically)
string
$a
required - Cryptographic hashstring
$b
required - Cryptographic hashboolean
public static function slow_equals($a, $b)
{
$diff = strlen($a) ^ strlen($b);
for($i = 0; $i < strlen($a) AND $i < strlen($b); $i++)
{
$diff |= ord($a[$i]) ^ ord($b[$i]);
}
return $diff === 0;
}
Remove image tags from a string.
$str = Security::strip_image_tags($str);
string
$str
required - String to sanitizestring
public static function strip_image_tags($str)
{
return preg_replace('#<img\s.*?(?:src\s*=\s*["\']?([^"\'<>\s]*)["\']?[^>]*)?>#is', '$1', $str);
}
Generate and store a unique token which can be used to help prevent CSRF attacks.
$token = Security::token();
You can insert this token into your forms as a hidden field:
echo Form::hidden('csrf', Security::token());
And then check it when using Validation:
$array->rules('csrf', array(
array('not_empty'),
array('Security::check'),
));
This provides a basic, but effective, method of preventing CSRF attacks.
boolean
$new
= bool FALSE - Force a new token to be generated?string
public static function token($new = FALSE)
{
$session = Session::instance();
// Get the current token
$token = $session->get(Security::$token_name);
if ($new === TRUE OR ! $token)
{
// Generate a new unique token
if (function_exists('openssl_random_pseudo_bytes'))
{
// Generate a random pseudo bytes token if openssl_random_pseudo_bytes is available
// This is more secure than uniqid, because uniqid relies on microtime, which is predictable
$token = base64_encode(openssl_random_pseudo_bytes(32));
}
else
{
// Otherwise, fall back to a hashed uniqid
$token = sha1(uniqid(NULL, TRUE));
}
// Store the new token
$session->set(Security::$token_name, $token);
}
return $token;
}