3 +--------------------------------------------------------------------+
4 | CiviCRM version 4.7 |
5 +--------------------------------------------------------------------+
6 | Copyright CiviCRM LLC (c) 2004-2017 |
7 +--------------------------------------------------------------------+
8 | This file is a part of CiviCRM. |
10 | CiviCRM is free software; you can copy, modify, and distribute it |
11 | under the terms of the GNU Affero General Public License |
12 | Version 3, 19 November 2007 and the CiviCRM Licensing Exception. |
14 | CiviCRM is distributed in the hope that it will be useful, but |
15 | WITHOUT ANY WARRANTY; without even the implied warranty of |
16 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. |
17 | See the GNU Affero General Public License for more details. |
19 | You should have received a copy of the GNU Affero General Public |
20 | License and the CiviCRM Licensing Exception along |
21 | with this program; if not, contact CiviCRM LLC |
22 | at info[AT]civicrm[DOT]org. If you have questions about the |
23 | GNU Affero General Public License or the licensing of CiviCRM, |
24 | see the CiviCRM license FAQ at http://civicrm.org/licensing |
25 +--------------------------------------------------------------------+
31 * @copyright CiviCRM LLC (c) 2004-2017
38 static $_sessionID = NULL;
41 * Generate a private key per session and store in session.
44 * private key for this session
46 public static function privateKey() {
48 $session = CRM_Core_Session
::singleton();
49 self
::$_key = $session->get('qfPrivateKey');
51 self
::$_key = md5(uniqid(mt_rand(), TRUE)) . md5(uniqid(mt_rand(), TRUE));
52 $session->set('qfPrivateKey', self
::$_key);
59 * @return mixed|null|string
61 public static function sessionID() {
62 if (!self
::$_sessionID) {
63 $session = CRM_Core_Session
::singleton();
64 self
::$_sessionID = $session->get('qfSessionID');
65 if (!self
::$_sessionID) {
66 self
::$_sessionID = session_id();
67 $session->set('qfSessionID', self
::$_sessionID);
70 return self
::$_sessionID;
74 * Generate a form key based on form name, the current user session
75 * and a private key. Modelled after drupal's form API
78 * @param bool $addSequence
79 * Should we add a unique sequence number to the end of the key.
84 public static function get($name, $addSequence = FALSE) {
85 $privateKey = self
::privateKey();
86 $sessionID = self
::sessionID();
87 $key = md5($sessionID . $name . $privateKey);
90 // now generate a random number between 1 and 100K and add it to the key
91 // so that we can have forms in mutiple tabs etc
92 $key = $key . '_' . mt_rand(1, 10000);
98 * Validate a form key based on the form name.
101 * @param string $name
102 * @param bool $addSequence
105 * if valid, else null
107 public static function validate($key, $name, $addSequence = FALSE) {
108 if (!is_string($key)) {
113 list($k, $t) = explode('_', $key);
114 if ($t < 1 ||
$t > 10000) {
122 $privateKey = self
::privateKey();
123 $sessionID = self
::sessionID();
124 if ($k != md5($sessionID . $name . $privateKey)) {
135 public static function valid($key) {
136 // a valid key is a 32 digit hex number
137 // followed by an optional _ and a number between 1 and 10000
138 if (strpos('_', $key) !== FALSE) {
139 list($hash, $seq) = explode('_', $key);
141 // ensure seq is between 1 and 10000
142 if (!is_numeric($seq) ||
153 // ensure that hash is a 32 digit hex number
154 return preg_match('#[0-9a-f]{32}#i', $hash) ?
TRUE : FALSE;