PHP Class lithium\security\validation\FormSignature

Using the Security helper, FormSignature calculates a hash of all fields in a form, so that when the form is submitted, the fields may be validated to ensure that none were added or removed, and that fields designated as _locked_ have not had their values altered. To enable form signing in a view, simply call $this->security->sign() before generating your form. In the controller, you may then validate the request by passing $this->request to the check() method.
See also: lithium\template\helper\Security::sign()
Datei anzeigen Open project: unionofrad/lithium Class Usage Examples

Protected Properties

Property Type Description
$_classes array Class dependencies.
$_secret string wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY

Public Methods

Method Description
check ( array | object $data ) : boolean Validates form data using an embedded form signature string. The form signature string must be embedded in security.signature alongside the other data to check against.
config ( array $config = [] ) : array | void Configures the class or retrieves current class configuration.
key ( array $data ) : string Generates form signature string from form data.

Protected Methods

Method Description
_compile ( array $fields, array $locked, array $excluded ) : string Compiles form signature string. Will normalize input data and urlencode() it.
_parse ( string $string ) : array Parses form signature string.
_signature ( string $data ) : string Calculates signature over given data.

Method Details

_compile() protected static method

The signature is calculated over locked and exclude fields as well as a hash of $fields. The $fields data will not become part of the final form signature string. The $fields hash is not signed itself as the hash will become part of the form signature string which is already signed.
protected static _compile ( array $fields, array $locked, array $excluded ) : string
$fields array
$locked array
$excluded array
return string The compiled form signature string that should be submitted with the form data in the form of: `::::`.

_parse() protected static method

Note: The parsed signature is not returned as it's not needed. The signature is verified by re-compiling the form signature string with the retrieved signature.
protected static _parse ( string $string ) : array
$string string
return array

_signature() protected static method

Will first derive a signing key from the secret key and current date, then calculate the HMAC over given data. This process is modelled after Amazon's _Message Signature Version 4_ but uses less key derivations as we don't have more information at our hands. During key derivation the strings li3,1 and li3,1_form are inserted. 1 denotes the version of our signature algorithm and should be raised when the algorithm is changed. Derivation is needed to not reveal the secret key. Note: As the current date (year, month, day) is used to increase key security by limiting its lifetime, a possible sideeffect is that a signature doen't verify if it is generated on day N and verified on day N+1.
protected static _signature ( string $data ) : string
$data string The data to calculate the signature for.
return string The signature.

check() public static method

Note: Will ignore any other data inside security.*.
public static check ( array | object $data ) : boolean
$data array | object The form data as an array or an object with the data inside the `data` property.
return boolean `true` if the form data is valid, `false` if not.

config() public static method

Configures the class or retrieves current class configuration.
public static config ( array $config = [] ) : array | void
$config array Available configuration options are: - `'classes'` _array_: May be used to inject dependencies. - `'secret'` _string_: *Must* be provided.
return array | void If `$config` is empty, returns an array with the current configurations.

key() public static method

Generates form signature string from form data.
public static key ( array $data ) : string
$data array An array of fields, locked fields and excluded fields.
return string The form signature string.

Property Details

$_classes protected_oe static_oe property

Class dependencies.
protected static array $_classes
return array

$_secret protected_oe static_oe property

wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY
protected static string $_secret
return string