contenido\classes\class.security.php

Show: PublicProtectedPrivateinherited
Table of Contents
Project: Contenido Content Management System

Description: This object makes contenido more secure

Requirements:

Author
Frederic Schneider  
Con_php_req
5.0  
Copyright
four for business AG  
License
http://www.contenido.org/license/LIZENZ.txt  
Link
http://www.4fb.de  
Link
http://www.contenido.org  
Package
Contenido Backend classes  
Since
file available since contenido release 4.8.7  
TODO
: Some features are the same as in HttpInputValidator (see contenido/classes/class.httpinputvalidator.php), merge them... {@internal created 2008-06-25 modified 2008-07-02, Frederic Schneider, added boolean functions and checkRequests() modified 2008-07-04, Frederic Schneider, added test to valid contenido-session-var modified 2008-07-23, Frederic Schneider, fixed stripslashes_deep functionality modified 2008-07-31, Frederic Schneider, added escapeString() with fallback at escapeDB() modified 2008-11-13, Timo Trautmann also strip slashes, if they were added autmatically by php modified 2010-05-20, Murat Purc, extended/added request parameter checks which are usable by Contenido startup process. Changed script terminations by die() to Exceptions. modified 2010-09-30, Dominik Ziegler, added optional logging modified 2010-11-22, Dominik Ziegler, fixed behaviour of isInteger [CON-365] $Id: class.security.php 1238 2010-11-22 11:26:33Z dominik.ziegler $: }}  
Version
1.1.1  

\Contenido_Security

Package: Default
Contenido Security class

Properties

>VPropertyprotectedarray $_acceptedBelangValues = array('de_DE', 'en_US', 'fr_FR', 'it_IT', 'nl_NL')
static
Accepted backend languages
Default valuearray('de_DE', 'en_US', 'fr_FR', 'it_IT', 'nl_NL')Details
Type
array
>VPropertyprotectedarray $_forbiddenParameters = array('cfg', 'cfgClient', 'contenido_path', '_PHPLIB', 'db', 'sess')
static
Request paramaters, which are strictly forbidden
Default valuearray('cfg', 'cfgClient', 'contenido_path', '_PHPLIB', 'db', 'sess')Details
Type
array
>VPropertyprotectedarray $_mustbeNumericParameters = array('client', 'changeclient', 'lang', 'changelang', 'idcat', 'idcatlang', 'idart', 'idartlang', 'idcatart')
static
Request paramaters, which must be numeric
Default valuearray('client', 'changeclient', 'lang', 'changelang', 'idcat', 'idcatlang', 'idart', 'idartlang', 'idcatart')Details
Type
array

Methods

methodpubliccheckFrontendGlobals() : void
static

Checks some global variables at frontend like $lang, $client, $changelang, $changeclient, $tmpchangelang.

Validates client and language related variables and takes care that their content is really a numeric value.

Logic in this function is taken over from front_content.php (v 4.8.12, line 164 - 192).

Details
TODO
: Need a solution for used globals  
methodpubliccheckRequestBelang() : bool | void
static

Checks backend language parameter in request.

Returns
TypeDescription
bool | voidTrue on success otherwhise nothing.
Throws
ExceptionDescription
\Contenido_Security_Exceptionif existing backend language parameter is not valid
methodpubliccheckRequestForbiddenParameter() : bool | void
static

Checks for forbidden parameters in request.

Returns
TypeDescription
bool | voidTrue on success otherwhise nothing.
Throws
ExceptionDescription
\Contenido_Security_Exceptionif the request contains one of forbidden parameters.
methodpubliccheckRequestMustbeNumericParameter() : bool
static

Checks for parameters in request who must be numeric.

Contrary to other request checks, this method don't throws a exception. It just insures that incomming values are really numeric, by type casting them to an integer.

Returns
TypeDescription
boolJust true
methodpubliccheckRequestSession() : bool | void
static

Checks/Validates existing contenido session request parameter.

Returns
TypeDescription
bool | voidTrue on success otherwhise nothing.
Throws
ExceptionDescription
\Contenido_Security_Exceptionif contenido parameter in request don't matches the required format
methodpubliccheckRequests() : bool | void
static

Checks some Contenido core related request parameters against XSS

Returns
TypeDescription
bool | voidTrue on success otherwhise nothing.
Throws
ExceptionDescription
\Contenido_Security_Exceptionif one of the checks fails
Details
Access
public  
methodpubliccheckSession() : true
static

Checks also contenido-var (session) to ascii, but works as a wrapper to checkRequestSession().

Returns
TypeDescription
true
Throws
ExceptionDescription
\Contenido_Security_Exceptionif contenido parameter in request don't matches the required format
Details
Access
public  
Deprecated
Use checkRequestSession() instead due to better naming conventions  
TODO
: Should be removed, but later in few years...  
methodpublicescapeDB(string $sString, \DB_Contenido $oDB, boolean $bUndoAddSlashes = true) : string
static

Escaped an query-string with mysql_real_escape_string

Parameters
NameTypeDescription
$sStringstring

input string

$oDB\DB_Contenido

contenido database object

$bUndoAddSlashesboolean

flag for undo addslashes (optional, default: true)

Returns
TypeDescription
stringconverted string
Details
Static
 
methodpublicescapeString(string $sString) : string
static

Escaped an query-string with addslashes

Parameters
NameTypeDescription
$sStringstring

input string

Returns
TypeDescription
stringconverted string
Details
Static
 
methodpublicfilter(string $sString, \DB_Contenido $oDb) : string
static

Escapes string using contenido urlencoding method and escapes string for inserting

Parameters
NameTypeDescription
$sStringstring

input string

$oDb\DB_Contenido

contenido database object

Returns
TypeDescription
stringfiltered string
Details
Static
 
methodpublicgetAcceptedBelangValues() : array
static

Returns accepted backend language values

Returns
TypeDescription
array
methodpublicgetForbiddenParameters() : array
static

Returns forbidden request parameters

Returns
TypeDescription
array
methodpublicgetMustbeNumericParameters() : array
static

Returns must be numeric request parameters

Returns
TypeDescription
array
methodpublicisBoolean(string $sVar) : boolean
static

Check: Has the variable an boolean value?

Parameters
NameTypeDescription
$sVarstring

input string

Returns
TypeDescription
booleancheck state
Details
Static
 
methodpublicisInteger(string $sVar) : boolean
static

Check: Is the variable an integer?

Parameters
NameTypeDescription
$sVarstring

input string

Returns
TypeDescription
booleancheck state
Details
Static
 
methodpublicisString(string $sVar) : boolean
static

Check: Is the variable an string?

Parameters
NameTypeDescription
$sVarstring

input string

Returns
TypeDescription
booleancheck state
Details
Static
 
methodpublictoBoolean(string $sString) : boolean
static

Convert an string to an boolean

Parameters
NameTypeDescription
$sStringstring

input string

Returns
TypeDescription
booleantype casted input string
Details
Static
 
methodpublictoInteger(string $sString) : integer
static

Convert an string to an integer

Parameters
NameTypeDescription
$sStringstring

input string

Returns
TypeDescription
integertype casted input string
Details
Static
 
methodpublictoString(string $sString, boolean $bHTML = false, string $sAllowableTags = '') : string
static

Convert an string

Parameters
NameTypeDescription
$sStringstring

input string

$bHTMLboolean

if true check with strip_tags and stripslashes

$sAllowableTagsstring

allowable tags if $bHTML is true

Returns
TypeDescription
stringconverted string
Details
Static
 
methodpublicunFilter(string $sString) : string
static

Reverts effect of method filter()

Parameters
NameTypeDescription
$sStringstring

input string

Returns
TypeDescription
stringunfiltered string
Details
Static
 
methodpublicunescapeDB(string $sString) : string
static

Un-quote string quoted with escapeDB()

Parameters
NameTypeDescription
$sStringstring

input string

Returns
TypeDescription
stringconverted string
Details
Static
 

\Contenido_Security_Exception

Package: Default
Contenido Security exception class
Parent(s)
\Exception

Properties

>VPropertyprotectedboolean $_logging = false
static
Logging flag.

Set to true for logging invalid calls.

Default valuefalseDetails
Type
boolean
Access
protected  
Static
 

Methods

methodpublic__construct( $sMessage,  $sParamName) : void

Parameters
NameTypeDescription
$sMessage
$sParamName
Details
See
\Exception::__construct()  
Documentation was generated by phpDocumentor 2.0.0a12.