$key = self::sign($name);
if ($addSequence) {
- // now generate a random number between 1 and 100K and add it to the key
+ // now generate a random number between 1 and 10000 and add it to the key
// so that we can have forms in mutiple tabs etc
$key = $key . '_' . mt_rand(1, 10000);
}
}
/**
- * The original version of this function, added circa 2010 and untouched
- * since then, seemed intended to check for a 32-digit hex string followed
- * optionally by an underscore and 4-digit number. But it had a bug where
- * the optional part was never checked ever. So have decided to remove that
- * second check to keep it simple since it seems like pseudo-security.
+ * Check that the key is well-formed. This does not check that the key is
+ * currently a key that is in use or belongs to a real form/session.
*
* @param string $key
*
* TRUE if the signature ($key) is well-formed.
*/
public static function valid($key) {
- // ensure that hash is a hex number (of expected length)
+ // ensure that key is an alphanumeric string of at least HASH_LENGTH with
+ // an optional underscore+digits at the end.
return preg_match('#^[0-9a-zA-Z]{' . self::HASH_LENGTH . ',}+(_\d+)?$#', $key) ? TRUE : FALSE;
}