3 +--------------------------------------------------------------------+
4 | CiviCRM version 4.4 |
5 +--------------------------------------------------------------------+
6 | Copyright CiviCRM LLC (c) 2004-2013 |
7 +--------------------------------------------------------------------+
8 | This file is a part of CiviCRM. |
10 | CiviCRM is free software; you can copy, modify, and distribute it |
11 | under the terms of the GNU Affero General Public License |
12 | Version 3, 19 November 2007 and the CiviCRM Licensing Exception. |
14 | CiviCRM is distributed in the hope that it will be useful, but |
15 | WITHOUT ANY WARRANTY; without even the implied warranty of |
16 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. |
17 | See the GNU Affero General Public License for more details. |
19 | You should have received a copy of the GNU Affero General Public |
20 | License and the CiviCRM Licensing Exception along |
21 | with this program; if not, contact CiviCRM LLC |
22 | at info[AT]civicrm[DOT]org. If you have questions about the |
23 | GNU Affero General Public License or the licensing of CiviCRM, |
24 | see the CiviCRM license FAQ at http://civicrm.org/licensing |
25 +--------------------------------------------------------------------+
31 * @copyright CiviCRM LLC (c) 2004-2013
38 static $_sessionID = NULL;
41 * Generate a private key per session and store in session
43 * @return string private key for this session
47 static function privateKey() {
49 $session = CRM_Core_Session
::singleton();
50 self
::$_key = $session->get('qfPrivateKey');
52 self
::$_key = md5(uniqid(mt_rand(), TRUE)) . md5(uniqid(mt_rand(), TRUE));
53 $session->set('qfPrivateKey', self
::$_key);
59 static function sessionID() {
60 if (!self
::$_sessionID) {
61 $session = CRM_Core_Session
::singleton();
62 self
::$_sessionID = $session->get('qfSessionID');
63 if (!self
::$_sessionID) {
64 self
::$_sessionID = session_id();
65 $session->set('qfSessionID', self
::$_sessionID);
68 return self
::$_sessionID;
72 * Generate a form key based on form name, the current user session
73 * and a private key. Modelled after drupal's form API
75 * @param string $value name of the form
76 * @paeam boolean $addSequence should we add a unique sequence number to the end of the key
78 * @return string valid formID
82 static function get($name, $addSequence = FALSE) {
83 $privateKey = self
::privateKey();
84 $sessionID = self
::sessionID();
85 $key = md5($sessionID . $name . $privateKey);
88 // now generate a random number between 1 and 100K and add it to the key
89 // so that we can have forms in mutiple tabs etc
90 $key = $key . '_' . mt_rand(1, 10000);
96 * Validate a form key based on the form name
98 * @param string $formKey
101 * @return string $formKey if valid, else null
105 static function validate($key, $name, $addSequence = FALSE) {
106 if (!is_string($key)) {
111 list($k, $t) = explode('_', $key);
112 if ($t < 1 ||
$t > 10000) {
120 $privateKey = self
::privateKey();
121 $sessionID = self
::sessionID();
122 if ($k != md5($sessionID . $name . $privateKey)) {
128 static function valid($key) {
129 // a valid key is a 32 digit hex number
130 // followed by an optional _ and a number between 1 and 10000
131 if (strpos('_', $key) !== FALSE) {
132 list($hash, $seq) = explode('_', $key);
134 // ensure seq is between 1 and 10000
135 if (!is_numeric($seq) ||
146 // ensure that hash is a 32 digit hex number
147 return preg_match('#[0-9a-f]{32}#i', $hash) ?
TRUE : FALSE;