3 +--------------------------------------------------------------------+
4 | CiviCRM version 4.6 |
5 +--------------------------------------------------------------------+
6 | Copyright CiviCRM LLC (c) 2004-2014 |
7 +--------------------------------------------------------------------+
8 | This file is a part of CiviCRM. |
10 | CiviCRM is free software; you can copy, modify, and distribute it |
11 | under the terms of the GNU Affero General Public License |
12 | Version 3, 19 November 2007 and the CiviCRM Licensing Exception. |
14 | CiviCRM is distributed in the hope that it will be useful, but |
15 | WITHOUT ANY WARRANTY; without even the implied warranty of |
16 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. |
17 | See the GNU Affero General Public License for more details. |
19 | You should have received a copy of the GNU Affero General Public |
20 | License and the CiviCRM Licensing Exception along |
21 | with this program; if not, contact CiviCRM LLC |
22 | at info[AT]civicrm[DOT]org. If you have questions about the |
23 | GNU Affero General Public License or the licensing of CiviCRM, |
24 | see the CiviCRM license FAQ at http://civicrm.org/licensing |
25 +--------------------------------------------------------------------+
31 * @copyright CiviCRM LLC (c) 2004-2014
38 static $_sessionID = NULL;
41 * Generate a private key per session and store in session
44 * private key for this session
47 public static function privateKey() {
49 $session = CRM_Core_Session
::singleton();
50 self
::$_key = $session->get('qfPrivateKey');
52 self
::$_key = md5(uniqid(mt_rand(), TRUE)) . md5(uniqid(mt_rand(), TRUE));
53 $session->set('qfPrivateKey', self
::$_key);
60 * @return mixed|null|string
62 public static function sessionID() {
63 if (!self
::$_sessionID) {
64 $session = CRM_Core_Session
::singleton();
65 self
::$_sessionID = $session->get('qfSessionID');
66 if (!self
::$_sessionID) {
67 self
::$_sessionID = session_id();
68 $session->set('qfSessionID', self
::$_sessionID);
71 return self
::$_sessionID;
75 * Generate a form key based on form name, the current user session
76 * and a private key. Modelled after drupal's form API
79 * @param bool $addSequence
80 * Should we add a unique sequence number to the end of the key.
86 public static function get($name, $addSequence = FALSE) {
87 $privateKey = self
::privateKey();
88 $sessionID = self
::sessionID();
89 $key = md5($sessionID . $name . $privateKey);
92 // now generate a random number between 1 and 100K and add it to the key
93 // so that we can have forms in mutiple tabs etc
94 $key = $key . '_' . mt_rand(1, 10000);
100 * Validate a form key based on the form name
103 * @param string $name
104 * @param bool $addSequence
107 * if valid, else null
110 public static function validate($key, $name, $addSequence = FALSE) {
111 if (!is_string($key)) {
116 list($k, $t) = explode('_', $key);
117 if ($t < 1 ||
$t > 10000) {
125 $privateKey = self
::privateKey();
126 $sessionID = self
::sessionID();
127 if ($k != md5($sessionID . $name . $privateKey)) {
138 public static function valid($key) {
139 // a valid key is a 32 digit hex number
140 // followed by an optional _ and a number between 1 and 10000
141 if (strpos('_', $key) !== FALSE) {
142 list($hash, $seq) = explode('_', $key);
144 // ensure seq is between 1 and 10000
145 if (!is_numeric($seq) ||
156 // ensure that hash is a 32 digit hex number
157 return preg_match('#[0-9a-f]{32}#i', $hash) ?
TRUE : FALSE;