contenido\classes\class.security.php
inherited
Classes
Description: This object makes contenido more secure
Requirements:
- Author
- Frederic Schneider
- Con_php_req
- 5.0
- Copyright
- four for business AG
- License
- http://www.contenido.org/license/LIZENZ.txt
- Link
- http://www.4fb.de
- Link
- http://www.contenido.org
- Package
- Contenido Backend classes
- Since
- file available since contenido release 4.8.7
- TODO
- : Some features are the same as in HttpInputValidator (see contenido/classes/class.httpinputvalidator.php), merge them... {@internal created 2008-06-25 modified 2008-07-02, Frederic Schneider, added boolean functions and checkRequests() modified 2008-07-04, Frederic Schneider, added test to valid contenido-session-var modified 2008-07-23, Frederic Schneider, fixed stripslashes_deep functionality modified 2008-07-31, Frederic Schneider, added escapeString() with fallback at escapeDB() modified 2008-11-13, Timo Trautmann also strip slashes, if they were added autmatically by php modified 2010-05-20, Murat Purc, extended/added request parameter checks which are usable by Contenido startup process. Changed script terminations by die() to Exceptions. modified 2010-09-30, Dominik Ziegler, added optional logging modified 2010-11-22, Dominik Ziegler, fixed behaviour of isInteger [CON-365] $Id: class.security.php 1238 2010-11-22 11:26:33Z dominik.ziegler $: }}
- Version
- 1.1.1
\Contenido_Security
Properties
array $_acceptedBelangValues = array('de_DE', 'en_US', 'fr_FR', 'it_IT', 'nl_NL')array('de_DE', 'en_US', 'fr_FR', 'it_IT', 'nl_NL')Details- Type
- array
array $_forbiddenParameters = array('cfg', 'cfgClient', 'contenido_path', '_PHPLIB', 'db', 'sess')array('cfg', 'cfgClient', 'contenido_path', '_PHPLIB', 'db', 'sess')Details- Type
- array
array $_mustbeNumericParameters = array('client', 'changeclient', 'lang', 'changelang', 'idcat', 'idcatlang', 'idart', 'idartlang', 'idcatart')array('client', 'changeclient', 'lang', 'changelang', 'idcat', 'idcatlang', 'idart', 'idartlang', 'idcatart')Details- Type
- array
Methods
checkFrontendGlobals() : voidChecks some global variables at frontend like $lang, $client, $changelang, $changeclient, $tmpchangelang.
Validates client and language related variables and takes care that their content is really a numeric value.
Logic in this function is taken over from front_content.php (v 4.8.12, line 164 - 192).
- TODO
- : Need a solution for used globals
checkRequestBelang() : bool | voidChecks backend language parameter in request.
| Type | Description |
|---|---|
| bool | void | True on success otherwhise nothing. |
| Exception | Description |
|---|---|
| \Contenido_Security_Exception | if existing backend language parameter is not valid |
checkRequestForbiddenParameter() : bool | voidChecks for forbidden parameters in request.
| Type | Description |
|---|---|
| bool | void | True on success otherwhise nothing. |
| Exception | Description |
|---|---|
| \Contenido_Security_Exception | if the request contains one of forbidden parameters. |
checkRequestMustbeNumericParameter() : boolChecks for parameters in request who must be numeric.
Contrary to other request checks, this method don't throws a exception. It just insures that incomming values are really numeric, by type casting them to an integer.
| Type | Description |
|---|---|
| bool | Just true |
checkRequestSession() : bool | voidChecks/Validates existing contenido session request parameter.
| Type | Description |
|---|---|
| bool | void | True on success otherwhise nothing. |
| Exception | Description |
|---|---|
| \Contenido_Security_Exception | if contenido parameter in request don't matches the required format |
checkRequests() : bool | voidChecks some Contenido core related request parameters against XSS
| Type | Description |
|---|---|
| bool | void | True on success otherwhise nothing. |
| Exception | Description |
|---|---|
| \Contenido_Security_Exception | if one of the checks fails |
- Access
- public
checkSession() : trueChecks also contenido-var (session) to ascii, but works as a wrapper to checkRequestSession().
| Type | Description |
|---|---|
| true |
| Exception | Description |
|---|---|
| \Contenido_Security_Exception | if contenido parameter in request don't matches the required format |
- Access
- public
- Deprecated
- Use checkRequestSession() instead due to better naming conventions
- TODO
- : Should be removed, but later in few years...
escapeDB(string $sString, \DB_Contenido $oDB, boolean $bUndoAddSlashes = true) : stringEscaped an query-string with mysql_real_escape_string
| Name | Type | Description |
|---|---|---|
| $sString | string | input string |
| $oDB | \DB_Contenido | contenido database object |
| $bUndoAddSlashes | boolean | flag for undo addslashes (optional, default: true) |
| Type | Description |
|---|---|
| string | converted string |
- Static
escapeString(string $sString) : stringEscaped an query-string with addslashes
| Name | Type | Description |
|---|---|---|
| $sString | string | input string |
| Type | Description |
|---|---|
| string | converted string |
- Static
filter(string $sString, \DB_Contenido $oDb) : stringEscapes string using contenido urlencoding method and escapes string for inserting
| Name | Type | Description |
|---|---|---|
| $sString | string | input string |
| $oDb | \DB_Contenido | contenido database object |
| Type | Description |
|---|---|
| string | filtered string |
- Static
getAcceptedBelangValues() : arrayReturns accepted backend language values
| Type | Description |
|---|---|
| array |
getForbiddenParameters() : arrayReturns forbidden request parameters
| Type | Description |
|---|---|
| array |
getMustbeNumericParameters() : arrayReturns must be numeric request parameters
| Type | Description |
|---|---|
| array |
isBoolean(string $sVar) : booleanCheck: Has the variable an boolean value?
| Name | Type | Description |
|---|---|---|
| $sVar | string | input string |
| Type | Description |
|---|---|
| boolean | check state |
- Static
isInteger(string $sVar) : booleanCheck: Is the variable an integer?
| Name | Type | Description |
|---|---|---|
| $sVar | string | input string |
| Type | Description |
|---|---|
| boolean | check state |
- Static
isString(string $sVar) : booleanCheck: Is the variable an string?
| Name | Type | Description |
|---|---|---|
| $sVar | string | input string |
| Type | Description |
|---|---|
| boolean | check state |
- Static
toBoolean(string $sString) : booleanConvert an string to an boolean
| Name | Type | Description |
|---|---|---|
| $sString | string | input string |
| Type | Description |
|---|---|
| boolean | type casted input string |
- Static
toInteger(string $sString) : integerConvert an string to an integer
| Name | Type | Description |
|---|---|---|
| $sString | string | input string |
| Type | Description |
|---|---|
| integer | type casted input string |
- Static
toString(string $sString, boolean $bHTML = false, string $sAllowableTags = '') : stringConvert an string
| Name | Type | Description |
|---|---|---|
| $sString | string | input string |
| $bHTML | boolean | if true check with strip_tags and stripslashes |
| $sAllowableTags | string | allowable tags if $bHTML is true |
| Type | Description |
|---|---|
| string | converted string |
- Static
unFilter(string $sString) : stringReverts effect of method filter()
| Name | Type | Description |
|---|---|---|
| $sString | string | input string |
| Type | Description |
|---|---|
| string | unfiltered string |
- Static
unescapeDB(string $sString) : stringUn-quote string quoted with escapeDB()
| Name | Type | Description |
|---|---|---|
| $sString | string | input string |
| Type | Description |
|---|---|
| string | converted string |
- Static
\Contenido_Security_Exception
- Parent(s)
- \Exception
Properties
boolean $_logging = falseSet to true for logging invalid calls.
falseDetails- Type
- boolean
- Access
- protected
- Static