3 +--------------------------------------------------------------------+
4 | CiviCRM version 4.6 |
5 +--------------------------------------------------------------------+
6 | Copyright CiviCRM LLC (c) 2004-2014 |
7 +--------------------------------------------------------------------+
8 | This file is a part of CiviCRM. |
10 | CiviCRM is free software; you can copy, modify, and distribute it |
11 | under the terms of the GNU Affero General Public License |
12 | Version 3, 19 November 2007 and the CiviCRM Licensing Exception. |
14 | CiviCRM is distributed in the hope that it will be useful, but |
15 | WITHOUT ANY WARRANTY; without even the implied warranty of |
16 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. |
17 | See the GNU Affero General Public License for more details. |
19 | You should have received a copy of the GNU Affero General Public |
20 | License and the CiviCRM Licensing Exception along |
21 | with this program; if not, contact CiviCRM LLC |
22 | at info[AT]civicrm[DOT]org. If you have questions about the |
23 | GNU Affero General Public License or the licensing of CiviCRM, |
24 | see the CiviCRM license FAQ at http://civicrm.org/licensing |
25 +--------------------------------------------------------------------+
31 * @copyright CiviCRM LLC (c) 2004-2014
38 static $_sessionID = NULL;
41 * Generate a private key per session and store in session
43 * @return string private key for this session
46 public static function privateKey() {
48 $session = CRM_Core_Session
::singleton();
49 self
::$_key = $session->get('qfPrivateKey');
51 self
::$_key = md5(uniqid(mt_rand(), TRUE)) . md5(uniqid(mt_rand(), TRUE));
52 $session->set('qfPrivateKey', self
::$_key);
59 * @return mixed|null|string
61 public static function sessionID() {
62 if (!self
::$_sessionID) {
63 $session = CRM_Core_Session
::singleton();
64 self
::$_sessionID = $session->get('qfSessionID');
65 if (!self
::$_sessionID) {
66 self
::$_sessionID = session_id();
67 $session->set('qfSessionID', self
::$_sessionID);
70 return self
::$_sessionID;
74 * Generate a form key based on form name, the current user session
75 * and a private key. Modelled after drupal's form API
78 * @param bool $addSequence should we add a unique sequence number to the end of the key
80 * @return string valid formID
83 public static function get($name, $addSequence = FALSE) {
84 $privateKey = self
::privateKey();
85 $sessionID = self
::sessionID();
86 $key = md5($sessionID . $name . $privateKey);
89 // now generate a random number between 1 and 100K and add it to the key
90 // so that we can have forms in mutiple tabs etc
91 $key = $key . '_' . mt_rand(1, 10000);
97 * Validate a form key based on the form name
100 * @param string $name
101 * @param bool $addSequence
103 * @return string $formKey if valid, else null
106 public static function validate($key, $name, $addSequence = FALSE) {
107 if (!is_string($key)) {
112 list($k, $t) = explode('_', $key);
113 if ($t < 1 ||
$t > 10000) {
121 $privateKey = self
::privateKey();
122 $sessionID = self
::sessionID();
123 if ($k != md5($sessionID . $name . $privateKey)) {
134 public static function valid($key) {
135 // a valid key is a 32 digit hex number
136 // followed by an optional _ and a number between 1 and 10000
137 if (strpos('_', $key) !== FALSE) {
138 list($hash, $seq) = explode('_', $key);
140 // ensure seq is between 1 and 10000
141 if (!is_numeric($seq) ||
152 // ensure that hash is a 32 digit hex number
153 return preg_match('#[0-9a-f]{32}#i', $hash) ?
TRUE : FALSE;