contenido\classes\class.security.php
Description: This object makes contenido more secure
Requirements:
- Author
- Frederic Schneider
- Con_php_req
- 5.0
- Copyright
- four for business AG
- License
- http://www.contenido.org/license/LIZENZ.txt
- Link
- http://www.4fb.de
- Link
- http://www.contenido.org
- Package
- Contenido Backend classes
- Since
- file available since contenido release 4.8.7
- TODO
- : Some features are the same as in HttpInputValidator (see contenido/classes/class.httpinputvalidator.php), merge them... {@internal created 2008-06-25 modified 2008-07-02, Frederic Schneider, added boolean functions and checkRequests() modified 2008-07-04, Frederic Schneider, added test to valid contenido-session-var modified 2008-07-23, Frederic Schneider, fixed stripslashes_deep functionality modified 2008-07-31, Frederic Schneider, added escapeString() with fallback at escapeDB() modified 2008-11-13, Timo Trautmann also strip slashes, if they were added autmatically by php modified 2010-05-20, Murat Purc, extended/added request parameter checks which are usable by Contenido startup process. Changed script terminations by die() to Exceptions. modified 2010-09-30, Dominik Ziegler, added optional logging modified 2010-11-22, Dominik Ziegler, fixed behaviour of isInteger [CON-365] $Id: class.security.php 1238 2010-11-22 11:26:33Z dominik.ziegler $: }}
- Version
- 1.1.1
\Contenido_Security
Properties


array $_acceptedBelangValues = array('de_DE', 'en_US', 'fr_FR', 'it_IT', 'nl_NL')
array('de_DE', 'en_US', 'fr_FR', 'it_IT', 'nl_NL')
Details- Type
- array


array $_forbiddenParameters = array('cfg', 'cfgClient', 'contenido_path', '_PHPLIB', 'db', 'sess')
array('cfg', 'cfgClient', 'contenido_path', '_PHPLIB', 'db', 'sess')
Details- Type
- array


array $_mustbeNumericParameters = array('client', 'changeclient', 'lang', 'changelang', 'idcat', 'idcatlang', 'idart', 'idartlang', 'idcatart')
array('client', 'changeclient', 'lang', 'changelang', 'idcat', 'idcatlang', 'idart', 'idartlang', 'idcatart')
Details- Type
- array
Methods


checkFrontendGlobals() : void
Checks some global variables at frontend like $lang, $client, $changelang, $changeclient, $tmpchangelang.
Validates client and language related variables and takes care that their content is really a numeric value.
Logic in this function is taken over from front_content.php (v 4.8.12, line 164 - 192).
- TODO
- : Need a solution for used globals


checkRequestBelang() : bool | void
Checks backend language parameter in request.
Type | Description |
---|---|
bool | void | True on success otherwhise nothing. |
Exception | Description |
---|---|
\Contenido_Security_Exception | if existing backend language parameter is not valid |


checkRequestForbiddenParameter() : bool | void
Checks for forbidden parameters in request.
Type | Description |
---|---|
bool | void | True on success otherwhise nothing. |
Exception | Description |
---|---|
\Contenido_Security_Exception | if the request contains one of forbidden parameters. |


checkRequestMustbeNumericParameter() : bool
Checks for parameters in request who must be numeric.
Contrary to other request checks, this method don't throws a exception. It just insures that incomming values are really numeric, by type casting them to an integer.
Type | Description |
---|---|
bool | Just true |


checkRequestSession() : bool | void
Checks/Validates existing contenido session request parameter.
Type | Description |
---|---|
bool | void | True on success otherwhise nothing. |
Exception | Description |
---|---|
\Contenido_Security_Exception | if contenido parameter in request don't matches the required format |


checkRequests() : bool | void
Checks some Contenido core related request parameters against XSS
Type | Description |
---|---|
bool | void | True on success otherwhise nothing. |
Exception | Description |
---|---|
\Contenido_Security_Exception | if one of the checks fails |
- Access
- public


checkSession() : true
Checks also contenido-var (session) to ascii, but works as a wrapper to checkRequestSession().
Type | Description |
---|---|
true |
Exception | Description |
---|---|
\Contenido_Security_Exception | if contenido parameter in request don't matches the required format |
- Access
- public
- Deprecated
- Use checkRequestSession() instead due to better naming conventions
- TODO
- : Should be removed, but later in few years...


escapeDB(string $sString, \DB_Contenido $oDB, boolean $bUndoAddSlashes = true) : string
Escaped an query-string with mysql_real_escape_string
Name | Type | Description |
---|---|---|
$sString | string | input string |
$oDB | \DB_Contenido | contenido database object |
$bUndoAddSlashes | boolean | flag for undo addslashes (optional, default: true) |
Type | Description |
---|---|
string | converted string |
- Static


escapeString(string $sString) : string
Escaped an query-string with addslashes
Name | Type | Description |
---|---|---|
$sString | string | input string |
Type | Description |
---|---|
string | converted string |
- Static


filter(string $sString, \DB_Contenido $oDb) : string
Escapes string using contenido urlencoding method and escapes string for inserting
Name | Type | Description |
---|---|---|
$sString | string | input string |
$oDb | \DB_Contenido | contenido database object |
Type | Description |
---|---|
string | filtered string |
- Static


getAcceptedBelangValues() : array
Returns accepted backend language values
Type | Description |
---|---|
array |


getForbiddenParameters() : array
Returns forbidden request parameters
Type | Description |
---|---|
array |


getMustbeNumericParameters() : array
Returns must be numeric request parameters
Type | Description |
---|---|
array |


isBoolean(string $sVar) : boolean
Check: Has the variable an boolean value?
Name | Type | Description |
---|---|---|
$sVar | string | input string |
Type | Description |
---|---|
boolean | check state |
- Static


isInteger(string $sVar) : boolean
Check: Is the variable an integer?
Name | Type | Description |
---|---|---|
$sVar | string | input string |
Type | Description |
---|---|
boolean | check state |
- Static


isString(string $sVar) : boolean
Check: Is the variable an string?
Name | Type | Description |
---|---|---|
$sVar | string | input string |
Type | Description |
---|---|
boolean | check state |
- Static


toBoolean(string $sString) : boolean
Convert an string to an boolean
Name | Type | Description |
---|---|---|
$sString | string | input string |
Type | Description |
---|---|
boolean | type casted input string |
- Static


toInteger(string $sString) : integer
Convert an string to an integer
Name | Type | Description |
---|---|---|
$sString | string | input string |
Type | Description |
---|---|
integer | type casted input string |
- Static


toString(string $sString, boolean $bHTML = false, string $sAllowableTags = '') : string
Convert an string
Name | Type | Description |
---|---|---|
$sString | string | input string |
$bHTML | boolean | if true check with strip_tags and stripslashes |
$sAllowableTags | string | allowable tags if $bHTML is true |
Type | Description |
---|---|
string | converted string |
- Static


unFilter(string $sString) : string
Reverts effect of method filter()
Name | Type | Description |
---|---|---|
$sString | string | input string |
Type | Description |
---|---|
string | unfiltered string |
- Static