3 +--------------------------------------------------------------------+
4 | CiviCRM version 4.5 |
5 +--------------------------------------------------------------------+
6 | Copyright CiviCRM LLC (c) 2004-2014 |
7 +--------------------------------------------------------------------+
8 | This file is a part of CiviCRM. |
10 | CiviCRM is free software; you can copy, modify, and distribute it |
11 | under the terms of the GNU Affero General Public License |
12 | Version 3, 19 November 2007 and the CiviCRM Licensing Exception. |
14 | CiviCRM is distributed in the hope that it will be useful, but |
15 | WITHOUT ANY WARRANTY; without even the implied warranty of |
16 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. |
17 | See the GNU Affero General Public License for more details. |
19 | You should have received a copy of the GNU Affero General Public |
20 | License and the CiviCRM Licensing Exception along |
21 | with this program; if not, contact CiviCRM LLC |
22 | at info[AT]civicrm[DOT]org. If you have questions about the |
23 | GNU Affero General Public License or the licensing of CiviCRM, |
24 | see the CiviCRM license FAQ at http://civicrm.org/licensing |
25 +--------------------------------------------------------------------+
31 * @copyright CiviCRM LLC (c) 2004-2014
38 static $_sessionID = NULL;
41 * Generate a private key per session and store in session
43 * @return string private key for this session
47 static function privateKey() {
49 $session = CRM_Core_Session
::singleton();
50 self
::$_key = $session->get('qfPrivateKey');
52 self
::$_key = md5(uniqid(mt_rand(), TRUE)) . md5(uniqid(mt_rand(), TRUE));
53 $session->set('qfPrivateKey', self
::$_key);
60 * @return mixed|null|string
62 static function sessionID() {
63 if (!self
::$_sessionID) {
64 $session = CRM_Core_Session
::singleton();
65 self
::$_sessionID = $session->get('qfSessionID');
66 if (!self
::$_sessionID) {
67 self
::$_sessionID = session_id();
68 $session->set('qfSessionID', self
::$_sessionID);
71 return self
::$_sessionID;
75 * Generate a form key based on form name, the current user session
76 * and a private key. Modelled after drupal's form API
79 * @param bool $addSequence
81 * @internal param string $value name of the form
82 * @paeam boolean $addSequence should we add a unique sequence number to the end of the key
84 * @return string valid formID
88 static function get($name, $addSequence = FALSE) {
89 $privateKey = self
::privateKey();
90 $sessionID = self
::sessionID();
91 $key = md5($sessionID . $name . $privateKey);
94 // now generate a random number between 1 and 100K and add it to the key
95 // so that we can have forms in mutiple tabs etc
96 $key = $key . '_' . mt_rand(1, 10000);
102 * Validate a form key based on the form name
105 * @param string $name
107 * @param bool $addSequence
109 * @internal param string $formKey
110 * @return string $formKey if valid, else null
114 static function validate($key, $name, $addSequence = FALSE) {
115 if (!is_string($key)) {
120 list($k, $t) = explode('_', $key);
121 if ($t < 1 ||
$t > 10000) {
129 $privateKey = self
::privateKey();
130 $sessionID = self
::sessionID();
131 if ($k != md5($sessionID . $name . $privateKey)) {
142 static function valid($key) {
143 // a valid key is a 32 digit hex number
144 // followed by an optional _ and a number between 1 and 10000
145 if (strpos('_', $key) !== FALSE) {
146 list($hash, $seq) = explode('_', $key);
148 // ensure seq is between 1 and 10000
149 if (!is_numeric($seq) ||
160 // ensure that hash is a 32 digit hex number
161 return preg_match('#[0-9a-f]{32}#i', $hash) ?
TRUE : FALSE;