637a3a61476f79d43f57c5295c5020c19df46cef
3 +--------------------------------------------------------------------+
4 | Copyright CiviCRM LLC. All rights reserved. |
6 | This work is published under the GNU AGPLv3 license with some |
7 | permitted exceptions and without any warranty. For full license |
8 | and copyright information, see https://civicrm.org/licensing |
9 +--------------------------------------------------------------------+
15 * @copyright CiviCRM LLC https://civicrm.org/licensing
18 public static $_key = NULL;
20 public static $_sessionID = NULL;
23 * Generate a private key per session and store in session.
26 * private key for this session
28 public static function privateKey() {
30 $session = CRM_Core_Session
::singleton();
31 self
::$_key = $session->get('qfPrivateKey');
33 self
::$_key = md5(uniqid(mt_rand(), TRUE)) . md5(uniqid(mt_rand(), TRUE));
34 $session->set('qfPrivateKey', self
::$_key);
41 * @return mixed|null|string
43 public static function sessionID() {
44 if (!self
::$_sessionID) {
45 $session = CRM_Core_Session
::singleton();
46 self
::$_sessionID = $session->get('qfSessionID');
47 if (!self
::$_sessionID) {
48 self
::$_sessionID = session_id();
49 $session->set('qfSessionID', self
::$_sessionID);
52 return self
::$_sessionID;
56 * Generate a form key based on form name, the current user session
57 * and a private key. Modelled after drupal's form API
60 * @param bool $addSequence
61 * Should we add a unique sequence number to the end of the key.
66 public static function get($name, $addSequence = FALSE) {
67 $privateKey = self
::privateKey();
68 $sessionID = self
::sessionID();
69 $key = md5($sessionID . $name . $privateKey);
72 // now generate a random number between 1 and 100K and add it to the key
73 // so that we can have forms in mutiple tabs etc
74 $key = $key . '_' . mt_rand(1, 10000);
80 * Validate a form key based on the form name.
84 * @param bool $addSequence
89 public static function validate($key, $name, $addSequence = FALSE) {
90 if (!is_string($key)) {
95 list($k, $t) = explode('_', $key);
96 if ($t < 1 ||
$t > 10000) {
104 $privateKey = self
::privateKey();
105 $sessionID = self
::sessionID();
106 if ($k != md5($sessionID . $name . $privateKey)) {
117 public static function valid($key) {
118 // a valid key is a 32 digit hex number
119 // followed by an optional _ and a number between 1 and 10000
120 if (strpos('_', $key) !== FALSE) {
121 list($hash, $seq) = explode('_', $key);
123 // ensure seq is between 1 and 10000
124 if (!is_numeric($seq) ||
135 // ensure that hash is a 32 digit hex number
136 return (bool) preg_match('#[0-9a-f]{32}#i', $hash);