1 |
1358
|
Luisehahne
|
<?php
|
2 |
|
|
/**
|
3 |
|
|
*
|
4 |
|
|
* @category security
|
5 |
|
|
* @package framework
|
6 |
|
|
* @author ISTeam easy-Project
|
7 |
|
|
* @copyright 2009-2011, Independend-Software-Team
|
8 |
|
|
* @link http://easy.isteam.de/
|
9 |
|
|
* @license http://creativecommons.org/licenses/by-nc-nd/3.0/de/
|
10 |
|
|
* @platform WebsiteBaker 2.8.x
|
11 |
|
|
* @requirements PHP 5.2.2 and higher
|
12 |
|
|
* @version $Id$
|
13 |
|
|
* @filesource $HeadURL$
|
14 |
|
|
* @lastmodified $Date$
|
15 |
|
|
*
|
16 |
|
|
* SecureForm
|
17 |
|
|
* Version 0.1
|
18 |
|
|
*
|
19 |
|
|
* creates Formular transactionnumbers for unique use
|
20 |
|
|
*/
|
21 |
|
|
|
22 |
|
|
class SecureForm {
|
23 |
|
|
|
24 |
|
|
/* insert global vars here... */
|
25 |
|
|
|
26 |
|
|
var $_FTAN = '';
|
27 |
|
|
var $_IDKEYs = '';
|
28 |
|
|
var $_salt = '';
|
29 |
|
|
|
30 |
|
|
function SecureForm()
|
31 |
|
|
{
|
32 |
|
|
// $this->__construct();
|
33 |
|
|
$this->_FTAN = '';
|
34 |
|
|
$this->_salt = $this->_generate_salt();
|
35 |
|
|
if(isset($_SESSION['IDKEYS']))
|
36 |
|
|
{
|
37 |
|
|
$this->_IDKEYs = $_SESSION['IDKEYS'];
|
38 |
|
|
}else {
|
39 |
|
|
$this->_IDKEYs = array();
|
40 |
|
|
}
|
41 |
|
|
}
|
42 |
|
|
// function __construct()
|
43 |
|
|
// {
|
44 |
|
|
// var $_FTAN = '';
|
45 |
|
|
// if(isset($_SESSION['FTAN'])) { unset($_SESSION['FTAN']); }
|
46 |
|
|
// }
|
47 |
|
|
|
48 |
|
|
|
49 |
|
|
function _generate_salt()
|
50 |
|
|
{
|
51 |
|
|
// server depending values
|
52 |
|
|
$salt = ( isset($_SERVER['SERVER_SIGNATURE']) ) ? $_SERVER['SERVER_SIGNATURE'] : '2';
|
53 |
|
|
$salt .= ( isset($_SERVER['SERVER_SOFTWARE']) ) ? $_SERVER['SERVER_SOFTWARE'] : '3';
|
54 |
|
|
$salt .= ( isset($_SERVER['SERVER_NAME']) ) ? $_SERVER['SERVER_NAME'] : '5';
|
55 |
|
|
$salt .= ( isset($_SERVER['SERVER_ADDR']) ) ? $_SERVER['SERVER_ADDR'] : '7';
|
56 |
|
|
$salt .= ( isset($_SERVER['SERVER_PORT']) ) ? $_SERVER['SERVER_PORT'] : '11';
|
57 |
|
|
$salt .= ( isset($_SERVER['SERVER_ADMIN']) ) ? $_SERVER['SERVER_ADMIN'] : '13';
|
58 |
|
|
$salt .= PHP_VERSION;
|
59 |
|
|
// client depending values
|
60 |
|
|
$salt .= ( isset($_SERVER['HTTP_ACCEPT']) ) ? $_SERVER['HTTP_ACCEPT'] : '17';
|
61 |
|
|
$salt .= ( isset($_SERVER['HTTP_ACCEPT_CHARSET']) ) ? $_SERVER['HTTP_ACCEPT_CHARSET'] : '19';
|
62 |
|
|
$salt .= ( isset($_SERVER['HTTP_ACCEPT_ENCODING']) ) ? $_SERVER['HTTP_ACCEPT_ENCODING'] : '23';
|
63 |
|
|
$salt .= ( isset($_SERVER['HTTP_ACCEPT_LANGUAGE']) ) ? $_SERVER['HTTP_ACCEPT_LANGUAGE'] : '29';
|
64 |
|
|
$salt .= ( isset($_SERVER['HTTP_CONNECTION']) ) ? $_SERVER['HTTP_CONNECTION'] : '31';
|
65 |
|
|
$salt .= ( isset($_SERVER['HTTP_USER_AGENT']) ) ? $_SERVER['HTTP_USER_AGENT'] : '37';
|
66 |
|
|
return $salt;
|
67 |
|
|
}
|
68 |
|
|
/*
|
69 |
|
|
* creates Formular transactionnumbers for unique use
|
70 |
|
|
* @access public
|
71 |
|
|
* @param bool $asTAG: true returns a complete prepared, hidden HTML-Input-Tag (default)
|
72 |
|
|
* false returns an array including FTAN0 and FTAN1
|
73 |
|
|
* @return mixed: array or string
|
74 |
|
|
*
|
75 |
|
|
* requirements: an active session must be available
|
76 |
|
|
*/
|
77 |
|
|
function getFTAN( $as_tag = true)
|
78 |
|
|
{
|
79 |
|
|
if( $this->_FTAN == '')
|
80 |
|
|
{
|
81 |
|
|
if(function_exists('microtime'))
|
82 |
|
|
{
|
83 |
|
|
list($usec, $sec) = explode(" ", microtime());
|
84 |
|
|
$time = (string)((float)$usec + (float)$sec);
|
85 |
|
|
}else{
|
86 |
|
|
$time = (string)time();
|
87 |
|
|
}
|
88 |
|
|
$this->_FTAN = md5($time.$this->_salt);
|
89 |
|
|
$_SESSION['FTAN'] = $this->_FTAN;
|
90 |
|
|
|
91 |
|
|
}
|
92 |
|
|
$ftan0 = 'a'.substr($this->_FTAN, -(10 + hexdec(substr($this->_FTAN, 1))), 10);
|
93 |
|
|
$ftan1 = 'a'.substr($this->_FTAN, hexdec(substr($this->_FTAN, -1)), 10);
|
94 |
|
|
if($as_tag == true)
|
95 |
|
|
{
|
96 |
|
|
return '<input type="hidden" name="'.$ftan0.'" value="'.$ftan1.'" title="" />';
|
97 |
|
|
}else{
|
98 |
|
|
return array('FTAN0' => $ftan0, 'FTAN1' => $ftan1);
|
99 |
|
|
}
|
100 |
|
|
}
|
101 |
|
|
|
102 |
|
|
/*
|
103 |
|
|
* checks received form-transactionnumbers against session-stored one
|
104 |
|
|
* @access public
|
105 |
|
|
* @param string $mode: requestmethode POST(default) or GET
|
106 |
|
|
* @return bool: true if numbers matches against stored ones
|
107 |
|
|
*
|
108 |
|
|
* requirements: an active session must be available
|
109 |
|
|
* this check will prevent from multiple sending a form. history.back() also will never work
|
110 |
|
|
*/
|
111 |
|
|
function checkFTAN( $mode = 'POST')
|
112 |
|
|
{
|
113 |
|
|
$retval = false;
|
114 |
|
|
if(isset($_SESSION['FTAN']) && strlen($_SESSION['FTAN']) == strlen(md5('dummy')))
|
115 |
|
|
{
|
116 |
|
|
$ftan = $_SESSION['FTAN'];
|
117 |
|
|
$ftan0 = 'a'.substr($ftan, -(10 + hexdec(substr($ftan, 1))), 10);
|
118 |
|
|
$ftan1 = 'a'.substr($ftan, hexdec(substr($ftan, -1)), 10);
|
119 |
|
|
unset($_SESSION['FTAN']);
|
120 |
|
|
if(strtoupper($mode) == 'POST')
|
121 |
|
|
{
|
122 |
|
|
$retval = (isset($_POST[$ftan0]) && $_POST[$ftan0] == ($ftan1));
|
123 |
|
|
$_POST[$ftan0] = '';
|
124 |
|
|
}else{
|
125 |
|
|
$retval = (isset($_GET[$ftan0]) && $_GET[$ftan0] == ($ftan1));
|
126 |
|
|
$_GET[$ftan0] = '';
|
127 |
|
|
}
|
128 |
|
|
}
|
129 |
|
|
return $retval;
|
130 |
|
|
}
|
131 |
|
|
|
132 |
|
|
/*
|
133 |
|
|
* save values in session and returns a ID-key
|
134 |
|
|
* @access public
|
135 |
|
|
* @param mixed $value: the value for witch a key shall generated and memorized
|
136 |
|
|
* @return string: a MD5-Key to use instead of the real value
|
137 |
|
|
*
|
138 |
|
|
* requirements: an active session must be available
|
139 |
|
|
*/
|
140 |
|
|
function getIDKEY($value)
|
141 |
|
|
{
|
142 |
|
|
$isarray = is_array($value);
|
143 |
|
|
if( $isarray ) { $value = serialize($value); }
|
144 |
|
|
$key = md5($this->_salt.(string)$value);
|
145 |
|
|
if( $isarray ) { $key[5] = 'h'; }
|
146 |
|
|
$added = false;
|
147 |
|
|
while(!$added)
|
148 |
|
|
{
|
149 |
|
|
if( !array_key_exists($key, $this->_IDKEYs) )
|
150 |
|
|
{
|
151 |
|
|
$this->_IDKEYs[$key] = $value;
|
152 |
|
|
$added = true;
|
153 |
|
|
}else {
|
154 |
|
|
// if key already exist, increment the last four digits until the key is unique
|
155 |
|
|
$key = substr($key, -4).dechex(('0x'.substr($key0, -4)) + 1);
|
156 |
|
|
}
|
157 |
|
|
}
|
158 |
|
|
$_SESSION['IDKEYS'] = $this->_IDKEYs;
|
159 |
|
|
return $key;
|
160 |
|
|
}
|
161 |
|
|
|
162 |
|
|
/*
|
163 |
|
|
* search for key in session and returns the original value
|
164 |
|
|
* @access public
|
165 |
|
|
* @param string $key: the alias-key from the original value
|
166 |
|
|
* @return mixed: the original value (string, numeric, array) or NULL if request fails
|
167 |
|
|
*
|
168 |
|
|
* requirements: an active session must be available
|
169 |
|
|
*/
|
170 |
|
|
function checkIDKEY( $key )
|
171 |
|
|
{
|
172 |
|
|
$value = null;
|
173 |
|
|
if( array_key_exists($key, $this->_IDKEYs))
|
174 |
|
|
{
|
175 |
|
|
$value = $this->_IDKEYs[$key];
|
176 |
|
|
unset($this->_IDKEYs[$key]);
|
177 |
|
|
$_SESSION['IDKEYS'] = $this->_IDKEYs;
|
178 |
|
|
if($value[5] == 'h') { $value = unserialize($value); }
|
179 |
|
|
}
|
180 |
|
|
return $value;
|
181 |
|
|
}
|
182 |
|
|
//put your code here
|
183 |
|
|
}
|
184 |
1340
|
Luisehahne
|
?>
|