1
|
<?php
|
2
|
/**
|
3
|
*
|
4
|
* @category security
|
5
|
* @package framework
|
6
|
* @author ISTeam easy-Project
|
7
|
* @copyright 2009-2010, Independend-Software-Team
|
8
|
* @link http://easy.isteam.de/
|
9
|
* @license http://creativecommons.org/licenses/by-nc-nd/3.0/de/
|
10
|
* @platform WebsiteBaker 2.8.x
|
11
|
* @requirements PHP 4.4.9 and higher
|
12
|
* @version $Id: class.secureform.php 1337 2010-04-27 18:09:10Z Luisehahne $
|
13
|
* @filesource $HeadURL: svn://isteam.dynxs.de/wb-archiv/branches/2.8.x/wb/framework/class.secureform.php $
|
14
|
* @lastmodified $Date: 2010-04-27 20:09:10 +0200 (Tue, 27 Apr 2010) $
|
15
|
*
|
16
|
* SecureForm
|
17
|
* Version 0.1
|
18
|
*
|
19
|
* creates Formular transactionnumbers for unique use
|
20
|
*/
|
21
|
|
22
|
class SecureForm {
|
23
|
|
24
|
/* insert global vars here... */
|
25
|
|
26
|
var $_FTAN = '';
|
27
|
var $_IDKEYs = array();
|
28
|
|
29
|
function SecureForm()
|
30
|
{
|
31
|
// $this->__construct();
|
32
|
$this->_FTAN = '';
|
33
|
// if(isset($_SESSION['FTAN'])) { unset($_SESSION['FTAN']); }
|
34
|
}
|
35
|
// function __construct()
|
36
|
// {
|
37
|
// var $_FTAN = '';
|
38
|
// if(isset($_SESSION['FTAN'])) { unset($_SESSION['FTAN']); }
|
39
|
// }
|
40
|
|
41
|
/*
|
42
|
* creates Formular transactionnumbers for unique use
|
43
|
* @access public
|
44
|
* @param bool $asTAG: true returns a complete prepared, hidden HTML-Input-Tag (default)
|
45
|
* false returns an array including FTAN0 and FTAN1
|
46
|
* @return mixed: array or string
|
47
|
*
|
48
|
* requirements: an active session must be available
|
49
|
*/
|
50
|
function getFTAN( $as_tag = true)
|
51
|
{
|
52
|
if( $this->_FTAN == '')
|
53
|
{
|
54
|
if(function_exists('microtime'))
|
55
|
{
|
56
|
list($usec, $sec) = explode(" ", microtime());
|
57
|
$time = (string)((float)$usec + (float)$sec);
|
58
|
}else{
|
59
|
$time = (string)time();
|
60
|
}
|
61
|
$salt = ( isset($_SERVER['HTTP_ACCEPT']) ? $_SERVER['HTTP_ACCEPT'] : '');
|
62
|
$salt .= ( isset($_SERVER['HTTP_ACCEPT_CHARSET']) ? $_SERVER['HTTP_ACCEPT_CHARSET'] : '');
|
63
|
$salt .= ( isset($_SERVER['HTTP_ACCEPT_ENCODING']) ? $_SERVER['HTTP_ACCEPT_ENCODING'] : '');
|
64
|
$salt .= ( isset($_SERVER['HTTP_ACCEPT_LANGUAGE']) ? $_SERVER['HTTP_ACCEPT_LANGUAGE'] : '');
|
65
|
$salt .= ( isset($_SERVER['HTTP_CONNECTION']) ? $_SERVER['HTTP_CONNECTION'] : '');
|
66
|
$salt .= ( isset($_SERVER['HTTP_USER_AGENT']) ? $_SERVER['HTTP_USER_AGENT'] : '');
|
67
|
$salt .= ( isset($_SERVER['SERVER_ADDR']) ? $_SERVER['SERVER_ADDR'] : '');
|
68
|
$salt = ( $salt !== '' ) ? $salt : 'eXtremelyHotTomatoJuice';
|
69
|
$this->_FTAN = md5($time.$salt);
|
70
|
$_SESSION['FTAN'] = $this->_FTAN;
|
71
|
}
|
72
|
$ftan0 = 'a'.substr($this->_FTAN, -(10 + hexdec(substr($this->_FTAN, 1))), 10);
|
73
|
$ftan1 = 'a'.substr($this->_FTAN, hexdec(substr($this->_FTAN, -1)), 10);
|
74
|
if($as_tag == true)
|
75
|
{
|
76
|
return '<input type="hidden" name="'.$ftan0.'" value="'.$ftan1.'" title="" />';
|
77
|
}else{
|
78
|
return array('FTAN0' => $ftan0, 'FTAN1' => $ftan1);
|
79
|
}
|
80
|
}
|
81
|
|
82
|
/*
|
83
|
* checks received form-transactionnumbers against session-stored one
|
84
|
* @access public
|
85
|
* @param string $mode: requestmethode POST(default) or GET
|
86
|
* @return bool: true if numbers matches against stored ones
|
87
|
*
|
88
|
* requirements: an active session must be available
|
89
|
* this check will prevent from multiple sending a form. history.back() also will never work
|
90
|
*/
|
91
|
function checkFTAN( $mode = 'POST')
|
92
|
{
|
93
|
$retval = false;
|
94
|
if(isset($_SESSION['FTAN']) && strlen($_SESSION['FTAN']) == strlen(md5('dummy')))
|
95
|
{
|
96
|
$ftan = $_SESSION['FTAN'];
|
97
|
$ftan0 = 'a'.substr($ftan, -(10 + hexdec(substr($ftan, 1))), 10);
|
98
|
$ftan1 = 'a'.substr($ftan, hexdec(substr($ftan, -1)), 10);
|
99
|
unset($_SESSION['FTAN']);
|
100
|
if(strtoupper($mode) == 'POST')
|
101
|
{
|
102
|
$retval = (isset($_POST[$ftan0]) && $_POST[$ftan0] == ($ftan1));
|
103
|
$_POST[$ftan0] = '';
|
104
|
}else{
|
105
|
$retval = (isset($_GET[$ftan0]) && $_GET[$ftan0] == ($ftan1));
|
106
|
$_GET[$ftan0] = '';
|
107
|
}
|
108
|
}
|
109
|
return $retval;
|
110
|
}
|
111
|
|
112
|
|
113
|
|
114
|
//put your code here
|
115
|
}
|
116
|
?>
|