Revision 1358
Added by Dietmar over 13 years ago
class.secureform.php | ||
---|---|---|
1 |
<?php |
|
2 |
/** |
|
3 |
* |
|
4 |
* @category security |
|
5 |
* @package framework |
|
6 |
* @author ISTeam easy-Project |
|
7 |
* @copyright 2009-2011, Independend-Software-Team |
|
8 |
* @link http://easy.isteam.de/ |
|
9 |
* @license http://creativecommons.org/licenses/by-nc-nd/3.0/de/ |
|
10 |
* @platform WebsiteBaker 2.8.x |
|
11 |
* @requirements PHP 5.2.2 and higher |
|
12 |
* @version $Id$ |
|
13 |
* @filesource $HeadURL$ |
|
14 |
* @lastmodified $Date$ |
|
15 |
* |
|
16 |
* SecureForm |
|
17 |
* Version 0.1 |
|
18 |
* |
|
19 |
* creates Formular transactionnumbers for unique use |
|
20 |
*/ |
|
21 |
|
|
22 |
class SecureForm { |
|
23 |
|
|
24 |
/* insert global vars here... */ |
|
25 |
|
|
26 |
var $_FTAN = ''; |
|
27 |
var $_IDKEYs = ''; |
|
28 |
var $_salt = ''; |
|
29 |
|
|
30 |
function SecureForm() |
|
31 |
{ |
|
32 |
// $this->__construct(); |
|
33 |
$this->_FTAN = ''; |
|
34 |
$this->_salt = $this->_generate_salt(); |
|
35 |
if(isset($_SESSION['IDKEYS'])) |
|
36 |
{ |
|
37 |
$this->_IDKEYs = $_SESSION['IDKEYS']; |
|
38 |
}else { |
|
39 |
$this->_IDKEYs = array(); |
|
40 |
} |
|
41 |
} |
|
42 |
// function __construct() |
|
43 |
// { |
|
44 |
// var $_FTAN = ''; |
|
45 |
// if(isset($_SESSION['FTAN'])) { unset($_SESSION['FTAN']); } |
|
46 |
// } |
|
47 |
|
|
48 |
|
|
49 |
function _generate_salt() |
|
50 |
{ |
|
51 |
// server depending values |
|
52 |
$salt = ( isset($_SERVER['SERVER_SIGNATURE']) ) ? $_SERVER['SERVER_SIGNATURE'] : '2'; |
|
53 |
$salt .= ( isset($_SERVER['SERVER_SOFTWARE']) ) ? $_SERVER['SERVER_SOFTWARE'] : '3'; |
|
54 |
$salt .= ( isset($_SERVER['SERVER_NAME']) ) ? $_SERVER['SERVER_NAME'] : '5'; |
|
55 |
$salt .= ( isset($_SERVER['SERVER_ADDR']) ) ? $_SERVER['SERVER_ADDR'] : '7'; |
|
56 |
$salt .= ( isset($_SERVER['SERVER_PORT']) ) ? $_SERVER['SERVER_PORT'] : '11'; |
|
57 |
$salt .= ( isset($_SERVER['SERVER_ADMIN']) ) ? $_SERVER['SERVER_ADMIN'] : '13'; |
|
58 |
$salt .= PHP_VERSION; |
|
59 |
// client depending values |
|
60 |
$salt .= ( isset($_SERVER['HTTP_ACCEPT']) ) ? $_SERVER['HTTP_ACCEPT'] : '17'; |
|
61 |
$salt .= ( isset($_SERVER['HTTP_ACCEPT_CHARSET']) ) ? $_SERVER['HTTP_ACCEPT_CHARSET'] : '19'; |
|
62 |
$salt .= ( isset($_SERVER['HTTP_ACCEPT_ENCODING']) ) ? $_SERVER['HTTP_ACCEPT_ENCODING'] : '23'; |
|
63 |
$salt .= ( isset($_SERVER['HTTP_ACCEPT_LANGUAGE']) ) ? $_SERVER['HTTP_ACCEPT_LANGUAGE'] : '29'; |
|
64 |
$salt .= ( isset($_SERVER['HTTP_CONNECTION']) ) ? $_SERVER['HTTP_CONNECTION'] : '31'; |
|
65 |
$salt .= ( isset($_SERVER['HTTP_USER_AGENT']) ) ? $_SERVER['HTTP_USER_AGENT'] : '37'; |
|
66 |
return $salt; |
|
67 |
} |
|
68 |
/* |
|
69 |
* creates Formular transactionnumbers for unique use |
|
70 |
* @access public |
|
71 |
* @param bool $asTAG: 1 returns a complete prepared, hidden HTML-Input-Tag (default) |
|
72 |
* 2 returns a key value pair (prepared as a GET parameter) |
|
73 |
* anything else returns an array including FTAN0 and FTAN1 |
|
74 |
* @return mixed: array or string |
|
75 |
* |
|
76 |
* requirements: an active session must be available |
|
77 |
*/ |
|
78 |
function getFTAN( $as_tag = 1) |
|
79 |
{ |
|
80 |
if( $this->_FTAN == '') |
|
81 |
{ |
|
82 |
if(function_exists('microtime')) |
|
83 |
{ |
|
84 |
list($usec, $sec) = explode(" ", microtime()); |
|
85 |
$time = (string)((float)$usec + (float)$sec); |
|
86 |
}else{ |
|
87 |
$time = (string)time(); |
|
88 |
} |
|
89 |
$this->_FTAN = md5($time.$this->_salt); |
|
90 |
$_SESSION['FTAN'] = $this->_FTAN; |
|
91 |
|
|
92 |
} |
|
93 |
$ftan0 = 'a'.substr($this->_FTAN, -(10 + hexdec(substr($this->_FTAN, 1))), 10); |
|
94 |
$ftan1 = 'a'.substr($this->_FTAN, hexdec(substr($this->_FTAN, -1)), 10); |
|
95 |
if ($as_tag == 1) { |
|
96 |
return '<input type="hidden" name="'.$ftan0.'" value="'.$ftan1.'" title="" />'; |
|
97 |
} elseif ($as_tag == 2) { |
|
98 |
return "$ftan0=$ftan1"; |
|
99 |
} else { |
|
100 |
return array('FTAN0' => $ftan0, 'FTAN1' => $ftan1); |
|
101 |
} |
|
102 |
} |
|
103 |
|
|
104 |
/* |
|
105 |
* checks received form-transactionnumbers against session-stored one |
|
106 |
* @access public |
|
107 |
* @param string $mode: requestmethode POST(default) or GET |
|
108 |
* @return bool: true if numbers matches against stored ones |
|
109 |
* |
|
110 |
* requirements: an active session must be available |
|
111 |
* this check will prevent from multiple sending a form. history.back() also will never work |
|
112 |
*/ |
|
113 |
function checkFTAN( $mode = 'POST') |
|
114 |
{ |
|
115 |
$retval = false; |
|
116 |
if(isset($_SESSION['FTAN']) && strlen($_SESSION['FTAN']) == strlen(md5('dummy'))) |
|
117 |
{ |
|
118 |
$ftan = $_SESSION['FTAN']; |
|
119 |
$ftan0 = 'a'.substr($ftan, -(10 + hexdec(substr($ftan, 1))), 10); |
|
120 |
$ftan1 = 'a'.substr($ftan, hexdec(substr($ftan, -1)), 10); |
|
121 |
unset($_SESSION['FTAN']); |
|
122 |
if(strtoupper($mode) == 'POST') |
|
123 |
{ |
|
124 |
$retval = (isset($_POST[$ftan0]) && $_POST[$ftan0] == ($ftan1)); |
|
125 |
$_POST[$ftan0] = ''; |
|
126 |
}else{ |
|
127 |
$retval = (isset($_GET[$ftan0]) && $_GET[$ftan0] == ($ftan1)); |
|
128 |
$_GET[$ftan0] = ''; |
|
129 |
} |
|
130 |
} |
|
131 |
return $retval; |
|
132 |
} |
|
133 |
|
|
134 |
/* |
|
135 |
* save values in session and returns a ID-key |
|
136 |
* @access public |
|
137 |
* @param mixed $value: the value for witch a key shall generated and memorized |
|
138 |
* @return string: a MD5-Key to use instead of the real value |
|
139 |
* |
|
140 |
* requirements: an active session must be available |
|
141 |
*/ |
|
142 |
function getIDKEY($value) |
|
143 |
{ |
|
144 |
$isarray = is_array($value); |
|
145 |
if( $isarray ) { $value = serialize($value); } |
|
146 |
$key = md5($this->_salt.(string)$value); |
|
147 |
if( $isarray ) { $key[5] = 'h'; } |
|
148 |
$added = false; |
|
149 |
while(!$added) |
|
150 |
{ |
|
151 |
if( !array_key_exists($key, $this->_IDKEYs) ) |
|
152 |
{ |
|
153 |
$this->_IDKEYs[$key] = $value; |
|
154 |
$added = true; |
|
155 |
}else { |
|
156 |
// if key already exist, increment the last four digits until the key is unique |
|
157 |
$key = substr($key, -4).dechex(('0x'.substr($key0, -4)) + 1); |
|
158 |
} |
|
159 |
} |
|
160 |
$_SESSION['IDKEYS'] = $this->_IDKEYs; |
|
161 |
return $key; |
|
162 |
} |
|
163 |
|
|
164 |
/* |
|
165 |
* search for key in session and returns the original value |
|
166 |
* @access public |
|
167 |
* @param string $key: the alias-key from the original value |
|
168 |
* @return mixed: the original value (string, numeric, array) or NULL if request fails |
|
169 |
* |
|
170 |
* requirements: an active session must be available |
|
171 |
*/ |
|
172 |
function checkIDKEY( $key ) |
|
173 |
{ |
|
174 |
$value = null; |
|
175 |
if( array_key_exists($key, $this->_IDKEYs)) |
|
176 |
{ |
|
177 |
$value = $this->_IDKEYs[$key]; |
|
178 |
unset($this->_IDKEYs[$key]); |
|
179 |
$_SESSION['IDKEYS'] = $this->_IDKEYs; |
|
180 |
if($value[5] == 'h') { $value = unserialize($value); } |
|
181 |
} |
|
182 |
return $value; |
|
183 |
} |
|
184 |
//put your code here |
|
185 |
} |
|
1 |
<?php |
|
2 |
/** |
|
3 |
* |
|
4 |
* @category security |
|
5 |
* @package framework |
|
6 |
* @author ISTeam easy-Project |
|
7 |
* @copyright 2009-2011, Independend-Software-Team |
|
8 |
* @link http://easy.isteam.de/ |
|
9 |
* @license http://creativecommons.org/licenses/by-nc-nd/3.0/de/ |
|
10 |
* @platform WebsiteBaker 2.8.x |
|
11 |
* @requirements PHP 5.2.2 and higher |
|
12 |
* @version $Id$ |
|
13 |
* @filesource $HeadURL$ |
|
14 |
* @lastmodified $Date$ |
|
15 |
* |
|
16 |
* SecureForm |
|
17 |
* Version 0.1 |
|
18 |
* |
|
19 |
* creates Formular transactionnumbers for unique use |
|
20 |
*/ |
|
21 |
|
|
22 |
class SecureForm { |
|
23 |
|
|
24 |
/* insert global vars here... */ |
|
25 |
|
|
26 |
var $_FTAN = ''; |
|
27 |
var $_IDKEYs = ''; |
|
28 |
var $_salt = ''; |
|
29 |
|
|
30 |
function SecureForm() |
|
31 |
{ |
|
32 |
// $this->__construct(); |
|
33 |
$this->_FTAN = ''; |
|
34 |
$this->_salt = $this->_generate_salt(); |
|
35 |
if(isset($_SESSION['IDKEYS'])) |
|
36 |
{ |
|
37 |
$this->_IDKEYs = $_SESSION['IDKEYS']; |
|
38 |
}else { |
|
39 |
$this->_IDKEYs = array(); |
|
40 |
} |
|
41 |
} |
|
42 |
// function __construct() |
|
43 |
// { |
|
44 |
// var $_FTAN = ''; |
|
45 |
// if(isset($_SESSION['FTAN'])) { unset($_SESSION['FTAN']); } |
|
46 |
// } |
|
47 |
|
|
48 |
|
|
49 |
function _generate_salt() |
|
50 |
{ |
|
51 |
// server depending values |
|
52 |
$salt = ( isset($_SERVER['SERVER_SIGNATURE']) ) ? $_SERVER['SERVER_SIGNATURE'] : '2'; |
|
53 |
$salt .= ( isset($_SERVER['SERVER_SOFTWARE']) ) ? $_SERVER['SERVER_SOFTWARE'] : '3'; |
|
54 |
$salt .= ( isset($_SERVER['SERVER_NAME']) ) ? $_SERVER['SERVER_NAME'] : '5'; |
|
55 |
$salt .= ( isset($_SERVER['SERVER_ADDR']) ) ? $_SERVER['SERVER_ADDR'] : '7'; |
|
56 |
$salt .= ( isset($_SERVER['SERVER_PORT']) ) ? $_SERVER['SERVER_PORT'] : '11'; |
|
57 |
$salt .= ( isset($_SERVER['SERVER_ADMIN']) ) ? $_SERVER['SERVER_ADMIN'] : '13'; |
|
58 |
$salt .= PHP_VERSION; |
|
59 |
// client depending values |
|
60 |
$salt .= ( isset($_SERVER['HTTP_ACCEPT']) ) ? $_SERVER['HTTP_ACCEPT'] : '17'; |
|
61 |
$salt .= ( isset($_SERVER['HTTP_ACCEPT_CHARSET']) ) ? $_SERVER['HTTP_ACCEPT_CHARSET'] : '19'; |
|
62 |
$salt .= ( isset($_SERVER['HTTP_ACCEPT_ENCODING']) ) ? $_SERVER['HTTP_ACCEPT_ENCODING'] : '23'; |
|
63 |
$salt .= ( isset($_SERVER['HTTP_ACCEPT_LANGUAGE']) ) ? $_SERVER['HTTP_ACCEPT_LANGUAGE'] : '29'; |
|
64 |
$salt .= ( isset($_SERVER['HTTP_CONNECTION']) ) ? $_SERVER['HTTP_CONNECTION'] : '31'; |
|
65 |
$salt .= ( isset($_SERVER['HTTP_USER_AGENT']) ) ? $_SERVER['HTTP_USER_AGENT'] : '37'; |
|
66 |
return $salt; |
|
67 |
} |
|
68 |
/* |
|
69 |
* creates Formular transactionnumbers for unique use |
|
70 |
* @access public |
|
71 |
* @param bool $asTAG: true returns a complete prepared, hidden HTML-Input-Tag (default) |
|
72 |
* false returns an array including FTAN0 and FTAN1 |
|
73 |
* @return mixed: array or string |
|
74 |
* |
|
75 |
* requirements: an active session must be available |
|
76 |
*/ |
|
77 |
function getFTAN( $as_tag = true) |
|
78 |
{ |
|
79 |
if( $this->_FTAN == '') |
|
80 |
{ |
|
81 |
if(function_exists('microtime')) |
|
82 |
{ |
|
83 |
list($usec, $sec) = explode(" ", microtime()); |
|
84 |
$time = (string)((float)$usec + (float)$sec); |
|
85 |
}else{ |
|
86 |
$time = (string)time(); |
|
87 |
} |
|
88 |
$this->_FTAN = md5($time.$this->_salt); |
|
89 |
$_SESSION['FTAN'] = $this->_FTAN; |
|
90 |
|
|
91 |
} |
|
92 |
$ftan0 = 'a'.substr($this->_FTAN, -(10 + hexdec(substr($this->_FTAN, 1))), 10); |
|
93 |
$ftan1 = 'a'.substr($this->_FTAN, hexdec(substr($this->_FTAN, -1)), 10); |
|
94 |
if($as_tag == true) |
|
95 |
{ |
|
96 |
return '<input type="hidden" name="'.$ftan0.'" value="'.$ftan1.'" title="" />'; |
|
97 |
}else{ |
|
98 |
return array('FTAN0' => $ftan0, 'FTAN1' => $ftan1); |
|
99 |
} |
|
100 |
} |
|
101 |
|
|
102 |
/* |
|
103 |
* checks received form-transactionnumbers against session-stored one |
|
104 |
* @access public |
|
105 |
* @param string $mode: requestmethode POST(default) or GET |
|
106 |
* @return bool: true if numbers matches against stored ones |
|
107 |
* |
|
108 |
* requirements: an active session must be available |
|
109 |
* this check will prevent from multiple sending a form. history.back() also will never work |
|
110 |
*/ |
|
111 |
function checkFTAN( $mode = 'POST') |
|
112 |
{ |
|
113 |
$retval = false; |
|
114 |
if(isset($_SESSION['FTAN']) && strlen($_SESSION['FTAN']) == strlen(md5('dummy'))) |
|
115 |
{ |
|
116 |
$ftan = $_SESSION['FTAN']; |
|
117 |
$ftan0 = 'a'.substr($ftan, -(10 + hexdec(substr($ftan, 1))), 10); |
|
118 |
$ftan1 = 'a'.substr($ftan, hexdec(substr($ftan, -1)), 10); |
|
119 |
unset($_SESSION['FTAN']); |
|
120 |
if(strtoupper($mode) == 'POST') |
|
121 |
{ |
|
122 |
$retval = (isset($_POST[$ftan0]) && $_POST[$ftan0] == ($ftan1)); |
|
123 |
$_POST[$ftan0] = ''; |
|
124 |
}else{ |
|
125 |
$retval = (isset($_GET[$ftan0]) && $_GET[$ftan0] == ($ftan1)); |
|
126 |
$_GET[$ftan0] = ''; |
|
127 |
} |
|
128 |
} |
|
129 |
return $retval; |
|
130 |
} |
|
131 |
|
|
132 |
/* |
|
133 |
* save values in session and returns a ID-key |
|
134 |
* @access public |
|
135 |
* @param mixed $value: the value for witch a key shall generated and memorized |
|
136 |
* @return string: a MD5-Key to use instead of the real value |
|
137 |
* |
|
138 |
* requirements: an active session must be available |
|
139 |
*/ |
|
140 |
function getIDKEY($value) |
|
141 |
{ |
|
142 |
$isarray = is_array($value); |
|
143 |
if( $isarray ) { $value = serialize($value); } |
|
144 |
$key = md5($this->_salt.(string)$value); |
|
145 |
if( $isarray ) { $key[5] = 'h'; } |
|
146 |
$added = false; |
|
147 |
while(!$added) |
|
148 |
{ |
|
149 |
if( !array_key_exists($key, $this->_IDKEYs) ) |
|
150 |
{ |
|
151 |
$this->_IDKEYs[$key] = $value; |
|
152 |
$added = true; |
|
153 |
}else { |
|
154 |
// if key already exist, increment the last four digits until the key is unique |
|
155 |
$key = substr($key, -4).dechex(('0x'.substr($key0, -4)) + 1); |
|
156 |
} |
|
157 |
} |
|
158 |
$_SESSION['IDKEYS'] = $this->_IDKEYs; |
|
159 |
return $key; |
|
160 |
} |
|
161 |
|
|
162 |
/* |
|
163 |
* search for key in session and returns the original value |
|
164 |
* @access public |
|
165 |
* @param string $key: the alias-key from the original value |
|
166 |
* @return mixed: the original value (string, numeric, array) or NULL if request fails |
|
167 |
* |
|
168 |
* requirements: an active session must be available |
|
169 |
*/ |
|
170 |
function checkIDKEY( $key ) |
|
171 |
{ |
|
172 |
$value = null; |
|
173 |
if( array_key_exists($key, $this->_IDKEYs)) |
|
174 |
{ |
|
175 |
$value = $this->_IDKEYs[$key]; |
|
176 |
unset($this->_IDKEYs[$key]); |
|
177 |
$_SESSION['IDKEYS'] = $this->_IDKEYs; |
|
178 |
if($value[5] == 'h') { $value = unserialize($value); } |
|
179 |
} |
|
180 |
return $value; |
|
181 |
} |
|
182 |
//put your code here |
|
183 |
} |
|
186 | 184 |
?> |
Also available in: Unified diff
validation fixes in pages backend theme