}
/**
- * @param $key
+ * The original version of this function, added circa 2010 and untouched
+ * since then, seemed intended to check for a 32-digit hex string followed
+ * optionally by an underscore and 4-digit number. But it had a bug where
+ * the optional part was never checked ever. So have decided to remove that
+ * second check to keep it simple since it seems like pseudo-security.
+ *
+ * @param string $key
*
* @return bool
*/
public static function valid($key) {
- // a valid key is a 32 digit hex number
- // followed by an optional _ and a number between 1 and 10000
- if (strpos('_', $key) !== FALSE) {
- list($hash, $seq) = explode('_', $key);
-
- // ensure seq is between 1 and 10000
- if (!is_numeric($seq) ||
- $seq < 1 ||
- $seq > 10000
- ) {
- return FALSE;
- }
- }
- else {
- $hash = $key;
- }
-
- // ensure that hash is a 32 digit hex number
- return (bool) preg_match('#[0-9a-f]{32}#i', $hash);
+ // ensure that key contains a 32 digit hex string
+ return (bool) preg_match('#[0-9a-f]{32}#i', $key);
}
}