AloFramework documentation
  • Namespace
  • Class
  • Tree
  • Deprecated
  • Todo
  • Download

Namespaces

  • Alo
    • Cache
    • Controller
    • Db
    • Exception
    • Session
    • Statics
    • Test
    • Validators
  • Controller
  • None
  • PHP

Classes

  • Cookie
  • Format
  • Security
  1 <?php
  2 
  3    namespace Alo\Statics;
  4 
  5    if (!defined('GEN_START')) {
  6       http_response_code(404);
  7       die();
  8    }
  9 
 10    /**
 11     * Handles hashing, tokens, randomising and other security operations
 12     *
 13     * @author Art <a.molcanovas@gmail.com>
 14     */
 15    abstract class Security {
 16 
 17       /**
 18        * Array of ASCII alphanumeric characters
 19        *
 20        * @var array
 21        */
 22       protected static $ascii_alphanum = ['a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', 0, 1, 2, 3, 4, 5, 6, 7, 8, 9];
 23 
 24       /**
 25        * The rest of the ASCII charset
 26        *
 27        * @var array
 28        */
 29       protected static $ascii_rest = [' ', '!', '"', '#', '$', '%', '\'', '(', ')', '*', '+', ',', '.', '/', ':', ';', '<', '=', '>', '?', '@', '[', '\\', ']', '^', '_', '`', '-', '{', '|', '}', '~'];
 30 
 31       /**
 32        * Defines the ascii charset subset as "the entire set"
 33        *
 34        * @var int
 35        */
 36       const ASCII_ALL = 0;
 37 
 38       /**
 39        * Defines the ascii charset subset as "only alphanumeric"
 40        *
 41        * @var int
 42        */
 43       const ASCII_ALPHANUM = 1;
 44 
 45       /**
 46        * Defines the ascii charset subset as "only non-alphanumeric"
 47        *
 48        * @var int
 49        */
 50       const ASCII_NONALPHANUM = 2;
 51 
 52       /**
 53        * Escapes a string or array (recursively) from XSS attacks
 54        *
 55        * @author Art <a.molcanovas@gmail.com>
 56        * @param string|array $item The item to be escaped
 57        * @return string|array
 58        */
 59       static function un_xss($item) {
 60          if (is_array($item)) {
 61             foreach ($item as &$v) {
 62                $v = escape($item);
 63             }
 64 
 65             return $item;
 66          } else {
 67             return is_scalar($item) ? htmlspecialchars($item, ENT_QUOTES | ENT_HTML5, 'UTF-8', false) : null;
 68          }
 69       }
 70 
 71       /**
 72        * Generates a string of random ASCII characters
 73        *
 74        * @author Art <a.molcanovas@gmail.com>
 75        * @param int $length The length of the string
 76        * @param int $subset Which subset to use - see class' ASCII_* constants
 77        * @return string
 78        */
 79       static function ascii_rand($length, $subset = self::ASCII_ALL) {
 80          switch ($subset) {
 81             case self::ASCII_ALPHANUM:
 82                $subset = self::$ascii_alphanum;
 83                break;
 84             case self::ASCII_NONALPHANUM:
 85                $subset = self::$ascii_rest;
 86                break;
 87             default:
 88                $subset = array_merge(self::$ascii_alphanum, self::$ascii_rest);
 89          }
 90 
 91          $count = count($subset) - 1;
 92 
 93          $r = '';
 94 
 95          for ($i = 0; $i < $length; $i++) {
 96             $r .= $subset[mt_rand(0, $count)];
 97          }
 98 
 99          return $r;
100       }
101 
102       /**
103        * Generates a token and sets it in session
104        *
105        * @author Art <a.molcanovas@gmail.com>
106        * @param string $token_name The token name
107        * @param string $hash       Which hash algorithm to use
108        * @return string The generated token
109        */
110       static function tokenGet($token_name, $hash = 'md5') {
111          $token = self::getUniqid($hash, 'token_' . $token_name);
112 
113          if (!\Alo::$session) {
114             trigger_error('Session handler not initialised or not assigned to \\Alo::$session. Token not saved in session.', E_USER_WARNING);
115          } else {
116             \Alo::$session->{$token_name} = $token;
117          }
118 
119          return $token;
120       }
121 
122       /**
123        * Checks if a token is valid
124        *
125        * @author Art <a.molcanovas@gmail.com>
126        * @param string $token_name The token name
127        * @param array  $data_array Which data array to check. Defaults to $_POST
128        * @return bool TRUE if the token is valid, false if not
129        */
130       static function tokenValid($token_name, array $data_array = null) {
131          if (!\Alo::$session) {
132             trigger_error('Session handler not initialised or not assigned to \\Alo::$session. FALSE will be returned. ', E_USER_WARNING);
133 
134             return false;
135          } else {
136             if ($data_array === null) {
137                $data_array = $_POST;
138             }
139 
140             $sess_token = \Alo::$session->{$token_name};
141 
142             return $sess_token && \get($data_array[$token_name]) && $sess_token == $data_array[$token_name];
143          }
144       }
145 
146       /**
147        * Removes a token from session data
148        *
149        * @author Art <a.molcanovas@gmail.com>
150        * @param string $token_name The token's name
151        * @return bool TRUE if the session handler was loaded, false if not
152        */
153       static function tokenRemove($token_name) {
154          if (\Alo::$session) {
155             \Alo::$session->delete($token_name);
156 
157             return true;
158          }
159 
160          return false;
161       }
162 
163       /**
164        * Returns an unhashed browser/IP fingerprint
165        *
166        * @author Art <a.molcanovas@gmail.com>
167        * @return string
168        */
169       static function getFingerprint() {
170          return '$%c0hYlc$kn!rZF' . \get($_SERVER['HTTP_USER_AGENT'])
171          . \get($_SERVER['HTTP_DNT']) . '^#J!kCRh&H4CKav'
172          . \get($_SERVER['HTTP_ACCEPT_LANGUAGE']) . 'h0&ThYYxk4YOD!g' . \get($_SERVER['REMOTE_ADDR']);
173       }
174 
175       /**
176        * Generates a unique identifier
177        *
178        * @author Art <a.molcanovas@gmail.com>
179        * @param string     $hash    Hash algorithm
180        * @param string|int $prefix  Prefix for the identifier
181        * @param int        $entropy Number of pseudo bytes used in entropy
182        * @return string
183        */
184       static function getUniqid($hash = 'md5', $prefix = null, $entropy = 50) {
185          $str = uniqid(mt_rand(PHP_INT_MIN, PHP_INT_MAX) . json_encode([
186                   $_COOKIE,
187                   $_REQUEST,
188                   $_FILES,
189                   $_ENV,
190                   $_GET,
191                   $_POST,
192                   $_SERVER
193                ]), true)
194             . $prefix . self::ascii_rand($entropy);
195 
196          if (function_exists('\openssl_random_pseudo_bytes')) {
197             $str .= \openssl_random_pseudo_bytes($entropy);
198          }
199 
200          return hash($hash, $str);
201       }
202 
203    }
AloFramework documentation API documentation generated by ApiGen 2.8.0