CSSecurityUtils
in package
Collection of various convenience methods concerning security
This class offers a basic set of methods that will be helpful to write secure PHP source code.
Tags
Table of Contents
- ERROR_DIRECTORY_WRONG_RIGHT = 11011
- ERROR_ILLEGALDIRECTORY = 11006
- ERROR_INCLUDE_PATH_NOT_ALLOWED = 11008
- ERROR_REQUESTDATAFIELDMISMATCH = 11002
- ERROR_REQUESTDATAFORMATMISMATCH = 11001
- ERROR_REQUESTDATAMISSINGDATATYPE = 11005
- ERROR_REQUESTDATANOSECURITYHASH = 11003
- ERROR_REQUESTTARGETERROR = 11004
- ERROR_SECURITY_XML_IS_MISSING = 11007
- ERROR_VARIABLE_NOT_ALLOWED = 11010
- ERROR_VARIABLES_WRONG_RIGHT = 11012
- ERROR_WRONG_VARIABLE_FORMAT = 11009
- FILENAME_PATTERN = '/^([^\/\\\\:\"\|\?\*\<\>\.\s][^\/\\\\:\"\|\?\*\<\>]*)?[^\/\\\\:\"\|\?\*\<\>\.\s]$/'
- FOLDERNAME_PATTERN = '/^([^\/\\\\:\"\|\?\*\<\>\.\s][^\/\\\\:\"\|\?\*\<\>]*)?[^\/\\\\:\"\|\?\*\<\>\.\s]$/'
- ILLEGAL_SUBFOLDER_PATTERN = '/(^[\\\\]|^[\/])|((\.\.)|[\:\"\|\?\*\<\>])/'
- INPUT_DATATYPE_FIXED = 'fixed'
- INPUT_DATATYPE_INT = 'int'
- INPUT_DATATYPE_STRING = 'string'
- REQUESTSECURITYLEVEL_CORRECT = 'correct'
- REQUESTSECURITYLEVEL_EXCEPTION = 'exception'
- REQUESTSECURITYLEVEL_FULL = 'full'
- REQUESTSECURITYLEVEL_IGNORE = 'ignore'
- REQUESTSECURITYLEVEL_REMOVE = 'remove'
- SECURITY_FIELD_NAME = 'CSSecurityHash'
- SETTING_HTTP_HEADER = 'http_header'
- Available security setting names in the INI file.
- SETTING_HTTPS_ONLY = 'force_https'
- SETTING_HTTPS_PROXY = 'https_proxy'
- SETTING_UPLOAD_FILES = 'upload_files'
- SETTING_UPLOAD_RESTRICTED_FILETYPES = 'upload_restricted_filetypes'
- SETTING_WORKBENCH_ALLOWED_PATHS = 'workbench_allowed_paths'
- SETTING_WORKBENCH_ENABLED = 'workbench_enabled'
- SETTING_WRITE_RESTRICTED_FILETYPES = 'write_restricted_filetypes'
- VALIDATION_PROJECT_TYPE_ALL = 1
- Defines the available validation types for the project directory.
- VALIDATION_PROJECT_TYPE_CONF = 2
- VALIDATION_PROJECT_TYPE_DATA = 4
- VALIDATION_PROJECT_TYPE_EXPORTS = 32
- VALIDATION_PROJECT_TYPE_TEMPLATES = 16
- VALIDATION_PROJECT_TYPE_VOLUMES = 8
- VAR_TYPE_COOKIE = 'COOKIE'
- VAR_TYPE_GET = 'GET'
- VAR_TYPE_GETPOST = 'GETPOST'
- VAR_TYPE_POST = 'POST'
- VAR_TYPE_REQUEST = 'REQUEST'
- Available security variable types
- VAR_TYPE_SESSION = 'SESSION'
- $_DEBUG_MODE : mixed
- $_INCLUDE_CONTEXT : mixed
- $_INCLUDE_FILE : mixed
- $_SECURITY_XML : mixed
- $_VIOLATIONS : mixed
- $ERROR_VARIABLES : mixed
- $SECURED_VARS : mixed
- checkUploadedFile() : mixed
- displayErrors() : mixed
- evalCommand() : string
- evaluates php code using eval. It should always be used, if just a return value is required and no local variables are modified
- generateSecurityHash() : string
- Generates a security hash from all arguments passed to this method for use in forms or GET parameters.
- generateVariableSecurityHash() : mixed
- getAllowedPathsForSecuritySetting() : array<string|int, mixed>
- Returns the allowed paths for a given security settings key.
- getBoolSecuritySetting() : bool
- Returns a bool value for given Security setting key.
- getBoolVariable() : bool
- This function gets elements from forms, and type them to a boolean.
- getCookieValues() : array<string|int, mixed>
- Returns the values of COOKIE and performs basic security checks.
- getEvalCommand() : string
- Checks whether php code may be evaluated
- getFileVariable() : string
- This function gets elements from forms, and type them to a valid filename within a given directory.
- getFormValues() : array<string|int, mixed>
- Returns the values of an HTML form and performs basic security checks.
- getIntVariable() : int
- This function gets elements from forms, and type them to an integer.
- getPHPEvalCode() : string
- Generates a unique hash for the given PHP code that is passed to the clients javascript. Additionally saves the php code in the session to be able to evaluate it.
- getRequestValues() : array<string|int, mixed>
- Returns the values of a GET request and performs basic security checks.
- getSecuredURL() : mixed
- getSecuredURLParameter() : mixed
- getSecuredVariable() : string
- This function gets elements from forms, and type them to a string.
- getSecurityHash() : string
- Returns the global security hash for the current session.
- getSecuritySetting() : mixed
- getServerSecurityHash() : string
- Returns a global security hash for the current server.
- getSessionPath() : mixed
- getSqlVariable() : string
- This function gets elements from forms, and type them to strings.
- getStringVariable() : string
- This function gets elements from forms, and type them to a string.
- getTypedValue() : mixed
- Converts a value to a given type.
- getUploadedFilesArray() : array<string|int, mixed>
- Returns an array of formatted $_FILES array.
- getUploadedFilesAsApi() : array<string|int, CSUploadedFile>
- Returns an array of CSUploadedFile objects representing uploaded files.
- getUploadedFilesValues() : array<string|int, mixed>
- Returns the values of the FILES variables and performs security checks.
- getUploadRestrictedFileTypes() : array<string|int, mixed>
- Returns an array with the upload restricted file types.
- getVariable() : mixed
- This function gets elements from forms, check if magic quotes are on and add slashes if necessary.
- getViolationLogPath() : string
- Returns the path to the violation log
- getWriteRestrictedFileTypes() : array<string|int, mixed>
- Returns an array with the write restricted file types.
- getXssSecuredValue() : mixed
- Checks the given value for any XSS vulnerabilities and removes these vulnerabilities.
- init() : mixed
- Initialize the security.
- isCreationAllowedForFileType() : bool
- This method defines whether a specific file type may be created in CONTENTSERV through the UI. This is important for file operations in MAM, so dangerous file extensions can be forbidden (like PHP).
- isErrorLogBacktraceEnabled() : bool
- Returns a bool value indicating whether the PHP error log backtrace is enabled for debug.
- isFileUploadAllowed() : bool
- Checks if file upload is allowed.
- isSosMode() : mixed
- isUploadAllowedForFileTypeToFolder() : bool
- Checks if the given file type is allowed to be uploaded to given upload folder.
- isValidFieldValueForDefaultField() : bool
- Checks if the given field name and it value are of valid type which is defined on the given Record object.
- mayWritePHPFiles() : bool
- Checks whether the security settings allow to write or modify php code or files
- overwriteVariable() : void
- This function stores values in the global variables for the current request, which can be received again using the get*Variable() methods.
- prepareInclude() : void
- Prepares the inclusion of a file in the security XML validation.
- quote() : string
- This function quotes a value to be used as value in an SQL query. This should be used to avoid SQL injections.
- removeMagickQuotes() : array<string|int, mixed>
- This method removes the "magic quotes" from the POST, GET or REQUEST array.If "magic quotes" are activated.
- setPostBody() : void
- This function will reset the $_POST array and adds the content of the http-body as BODY into the $_POST array CAUTION: This method needs to be called BEFORE self::_prepareInclude() method is called. Otherwise it won't work.
- setSecuritySetting() : mixed
- validateAsAdminFile() : bool
- This function makes sure the given file resides within the "admin" directory hierarchy.
- validateAsAdminLocalFile() : bool
- This function makes sure the given file resides within the "admin.local" directory hierarchy.
- validateAsCSFile() : bool
- This function makes sure the given file is contained within the CONTENTSERV directory hierarchy.
- validateAsLocalFile() : bool
- This function makes sure the given file is not a URL, normally to avoid the inclusion of off-site scripts.
- validateAsNonSensibleFileForInclude() : bool
- This function makes sure that the requested file is not sensible like config.php, CSSecurity files and .htaccess
- validateAsProjectFile() : bool
- This function makes sure the given file is contained within the current project directory hierarchy.
- validateAsProjectName() : bool
- This function makes sure the given project name is valid.
- validateAsRelativePath() : bool
- This function makes sure the given path is not an absolute path.
- validateAsSafeExternalFile() : bool
- Validates if the given filepath is a safe external file.
- validateAsSecurityFile() : bool
- Validates a given security file path whether it can be used.
Constants
ERROR_DIRECTORY_WRONG_RIGHT
public
mixed
ERROR_DIRECTORY_WRONG_RIGHT
= 11011
Tags
ERROR_ILLEGALDIRECTORY
public
mixed
ERROR_ILLEGALDIRECTORY
= 11006
Tags
ERROR_INCLUDE_PATH_NOT_ALLOWED
public
mixed
ERROR_INCLUDE_PATH_NOT_ALLOWED
= 11008
Tags
ERROR_REQUESTDATAFIELDMISMATCH
public
mixed
ERROR_REQUESTDATAFIELDMISMATCH
= 11002
Tags
ERROR_REQUESTDATAFORMATMISMATCH
public
mixed
ERROR_REQUESTDATAFORMATMISMATCH
= 11001
Tags
ERROR_REQUESTDATAMISSINGDATATYPE
public
mixed
ERROR_REQUESTDATAMISSINGDATATYPE
= 11005
Tags
ERROR_REQUESTDATANOSECURITYHASH
public
mixed
ERROR_REQUESTDATANOSECURITYHASH
= 11003
Tags
ERROR_REQUESTTARGETERROR
public
mixed
ERROR_REQUESTTARGETERROR
= 11004
Tags
ERROR_SECURITY_XML_IS_MISSING
public
mixed
ERROR_SECURITY_XML_IS_MISSING
= 11007
Tags
ERROR_VARIABLE_NOT_ALLOWED
public
mixed
ERROR_VARIABLE_NOT_ALLOWED
= 11010
Tags
ERROR_VARIABLES_WRONG_RIGHT
public
mixed
ERROR_VARIABLES_WRONG_RIGHT
= 11012
Tags
ERROR_WRONG_VARIABLE_FORMAT
public
mixed
ERROR_WRONG_VARIABLE_FORMAT
= 11009
Tags
FILENAME_PATTERN
public
mixed
FILENAME_PATTERN
= '/^([^\/\\\\:\"\|\?\*\<\>\.\s][^\/\\\\:\"\|\?\*\<\>]*)?[^\/\\\\:\"\|\?\*\<\>\.\s]$/'
Tags
FOLDERNAME_PATTERN
public
mixed
FOLDERNAME_PATTERN
= '/^([^\/\\\\:\"\|\?\*\<\>\.\s][^\/\\\\:\"\|\?\*\<\>]*)?[^\/\\\\:\"\|\?\*\<\>\.\s]$/'
Tags
ILLEGAL_SUBFOLDER_PATTERN
public
mixed
ILLEGAL_SUBFOLDER_PATTERN
= '/(^[\\\\]|^[\/])|((\.\.)|[\:\"\|\?\*\<\>])/'
Tags
INPUT_DATATYPE_FIXED
public
mixed
INPUT_DATATYPE_FIXED
= 'fixed'
Tags
INPUT_DATATYPE_INT
public
mixed
INPUT_DATATYPE_INT
= 'int'
Tags
INPUT_DATATYPE_STRING
public
mixed
INPUT_DATATYPE_STRING
= 'string'
Tags
REQUESTSECURITYLEVEL_CORRECT
public
mixed
REQUESTSECURITYLEVEL_CORRECT
= 'correct'
Tags
REQUESTSECURITYLEVEL_EXCEPTION
public
mixed
REQUESTSECURITYLEVEL_EXCEPTION
= 'exception'
Tags
REQUESTSECURITYLEVEL_FULL
public
mixed
REQUESTSECURITYLEVEL_FULL
= 'full'
Tags
REQUESTSECURITYLEVEL_IGNORE
public
mixed
REQUESTSECURITYLEVEL_IGNORE
= 'ignore'
Tags
REQUESTSECURITYLEVEL_REMOVE
public
mixed
REQUESTSECURITYLEVEL_REMOVE
= 'remove'
Tags
SECURITY_FIELD_NAME
public
mixed
SECURITY_FIELD_NAME
= 'CSSecurityHash'
Tags
SETTING_HTTP_HEADER
Available security setting names in the INI file.
public
string
SETTING_HTTP_HEADER
= 'http_header'
Tags
SETTING_HTTPS_ONLY
public
mixed
SETTING_HTTPS_ONLY
= 'force_https'
Tags
SETTING_HTTPS_PROXY
public
mixed
SETTING_HTTPS_PROXY
= 'https_proxy'
Tags
SETTING_UPLOAD_FILES
public
mixed
SETTING_UPLOAD_FILES
= 'upload_files'
Tags
SETTING_UPLOAD_RESTRICTED_FILETYPES
public
mixed
SETTING_UPLOAD_RESTRICTED_FILETYPES
= 'upload_restricted_filetypes'
Tags
SETTING_WORKBENCH_ALLOWED_PATHS
public
mixed
SETTING_WORKBENCH_ALLOWED_PATHS
= 'workbench_allowed_paths'
Tags
SETTING_WORKBENCH_ENABLED
public
mixed
SETTING_WORKBENCH_ENABLED
= 'workbench_enabled'
Tags
SETTING_WRITE_RESTRICTED_FILETYPES
public
mixed
SETTING_WRITE_RESTRICTED_FILETYPES
= 'write_restricted_filetypes'
Tags
VALIDATION_PROJECT_TYPE_ALL
Defines the available validation types for the project directory.
public
int
VALIDATION_PROJECT_TYPE_ALL
= 1
Tags
VALIDATION_PROJECT_TYPE_CONF
public
mixed
VALIDATION_PROJECT_TYPE_CONF
= 2
Tags
VALIDATION_PROJECT_TYPE_DATA
public
mixed
VALIDATION_PROJECT_TYPE_DATA
= 4
Tags
VALIDATION_PROJECT_TYPE_EXPORTS
public
mixed
VALIDATION_PROJECT_TYPE_EXPORTS
= 32
Tags
VALIDATION_PROJECT_TYPE_TEMPLATES
public
mixed
VALIDATION_PROJECT_TYPE_TEMPLATES
= 16
Tags
VALIDATION_PROJECT_TYPE_VOLUMES
public
mixed
VALIDATION_PROJECT_TYPE_VOLUMES
= 8
Tags
VAR_TYPE_COOKIE
public
mixed
VAR_TYPE_COOKIE
= 'COOKIE'
Tags
VAR_TYPE_GET
public
mixed
VAR_TYPE_GET
= 'GET'
Tags
VAR_TYPE_GETPOST
public
mixed
VAR_TYPE_GETPOST
= 'GETPOST'
Tags
VAR_TYPE_POST
public
mixed
VAR_TYPE_POST
= 'POST'
Tags
VAR_TYPE_REQUEST
Available security variable types
public
string
VAR_TYPE_REQUEST
= 'REQUEST'
Tags
VAR_TYPE_SESSION
public
mixed
VAR_TYPE_SESSION
= 'SESSION'
Tags
Properties
$_DEBUG_MODE
public
static mixed
$_DEBUG_MODE
Tags
$_INCLUDE_CONTEXT
public
static mixed
$_INCLUDE_CONTEXT
Tags
$_INCLUDE_FILE
public
static mixed
$_INCLUDE_FILE
Tags
$_SECURITY_XML
public
static mixed
$_SECURITY_XML
Tags
$_VIOLATIONS
public
static mixed
$_VIOLATIONS
Tags
$ERROR_VARIABLES
public
static mixed
$ERROR_VARIABLES
= array()
Tags
$SECURED_VARS
public
static mixed
$SECURED_VARS
= array(self::VAR_TYPE_GET => array(), self::VAR_TYPE_POST => array())
Tags
Methods
checkUploadedFile()
public
static checkUploadedFile(mixed $file) : mixed
Parameters
- $file : mixed
Tags
Return values
mixed —displayErrors()
public
static displayErrors([mixed $displayWarnings = FALSE ]) : mixed
Parameters
- $displayWarnings : mixed = FALSE
Tags
Return values
mixed —evalCommand()
evaluates php code using eval. It should always be used, if just a return value is required and no local variables are modified
public
static evalCommand(string $phpCode[, array<string|int, mixed> $context = array() ][, bool $isSecure = FALSE ]) : string
Parameters
- $phpCode : string
-
the php code which should be passed to eval
- $context : array<string|int, mixed> = array()
-
additional local variable which should be available as context, e.g. if {'row' => 12} is passed, $row is available in the eval.
- $isSecure : bool = FALSE
-
whether the eval code had been secured before, e.g. when using constants or other things which may not be passed using HTTP-Request variables
Tags
Return values
string —$phpCode the checked php code if it is allowed
generateSecurityHash()
Generates a security hash from all arguments passed to this method for use in forms or GET parameters.
public
static generateSecurityHash() : string
Tags
Return values
string —The security hash for the given parameters.
generateVariableSecurityHash()
public
static generateVariableSecurityHash(mixed $params[, mixed $length = 3 ]) : mixed
Parameters
- $params : mixed
- $length : mixed = 3
Tags
Return values
mixed —getAllowedPathsForSecuritySetting()
Returns the allowed paths for a given security settings key.
public
static getAllowedPathsForSecuritySetting(string $sSecuritySettingKey) : array<string|int, mixed>
Parameters
- $sSecuritySettingKey : string
-
The security setting key.
Tags
Return values
array<string|int, mixed> —with the configured allowed paths in the security settings.
getBoolSecuritySetting()
Returns a bool value for given Security setting key.
public
static getBoolSecuritySetting(string $key) : bool
Parameters
- $key : string
Tags
Return values
bool —getBoolVariable()
This function gets elements from forms, and type them to a boolean.
public
static getBoolVariable(mixed $elementName[, string $requestType = '' ][, mixed $defaultValue = FALSE ]) : bool
Parameters
- $elementName : mixed
-
the name of the requested variable. Either a string or an array of strings, which should be tested, if the variable has not been defined in the previous elementNames
- $requestType : string = ''
-
the source of variable SESSION, COOKIE, POST, GET, REQUEST or a empty string if all (REQUEST and SESSION) should be searched. If SESSION is used, the session must be started before using sessionStart();
- $defaultValue : mixed = FALSE
-
the returned value if the variable is not defined.
Tags
Return values
bool —formatted data from the request
getCookieValues()
Returns the values of COOKIE and performs basic security checks.
public
static getCookieValues([string $sMode = null ]) : array<string|int, mixed>
Parameters
- $sMode : string = null
-
One of the REQUESTSECURITYLEVEL_* constants, specifying the checks that should be performed. If not NULL, these checks override the default security settings implicitly defined via the CS global options defined in the "CSSecurity.ini" file.
Tags
Return values
array<string|int, mixed> —An array containing the values of all cookies.
getEvalCommand()
Checks whether php code may be evaluated
public
static getEvalCommand(string $phpCode[, bool $isSecure = FALSE ]) : string
Parameters
- $phpCode : string
-
the php code which should be passed to eval
- $isSecure : bool = FALSE
-
whether the eval code had been secured before, e.g. when using constants or other things which may not be passed using HTTP-Request variables
Tags
Return values
string —$phpCode the checked php code if it is allowed
getFileVariable()
This function gets elements from forms, and type them to a valid filename within a given directory.
public
static getFileVariable(mixed $elementName[, string $requestType = '' ][, mixed $directory = NULL ]) : string
Parameters
- $elementName : mixed
-
the name of the requested variable. Either a string or an array of strings, which should be tested, if the variable has not been defined in the previous elementNames
- $requestType : string = ''
-
the source of variable SESSION, COOKIE, POST, GET, REQUEST or a empty string if all (REQUEST and SESSION) should be searched. If SESSION is used, the session must be started before using sessionStart();
- $directory : mixed = NULL
-
the directory the file should be within.
Tags
Return values
string —the secured file name
getFormValues()
Returns the values of an HTML form and performs basic security checks.
public
static getFormValues([string $mode = NULL ]) : array<string|int, mixed>
Parameters
- $mode : string = NULL
-
One of the REQUESTSECURITYLEVEL_* constants, specifying the checks that should be performed. If not NULL, these checks override the default security settings implicitly defined via the CS global options defined in the "CSSecurity.ini" file.
Tags
Return values
array<string|int, mixed> —An array containing the values of all fields transmitted by the form.
getIntVariable()
This function gets elements from forms, and type them to an integer.
public
static getIntVariable(mixed $elementName[, string $requestType = '' ], mixed $defaultValue) : int
Parameters
- $elementName : mixed
-
the name of the requested variable. Either a string or an array of strings, which should be tested, if the variable has not been defined in the previous elementNames
- $requestType : string = ''
-
the source of variable SESSION, COOKIE, POST, GET, REQUEST or a empty string if all (REQUEST and SESSION) should be searched. If SESSION is used, the session must be started before using sessionStart();
- $defaultValue : mixed
-
the returned value if the variable is not defined.
Tags
Return values
int —formatted data from the request
getPHPEvalCode()
Generates a unique hash for the given PHP code that is passed to the clients javascript. Additionally saves the php code in the session to be able to evaluate it.
public
static getPHPEvalCode(string $phpCode) : string
Parameters
- $phpCode : string
-
The PHP code to generate the hash for.
Tags
Return values
string —The hash for the given PHP code.
getRequestValues()
Returns the values of a GET request and performs basic security checks.
public
static getRequestValues([string $mode = NULL ]) : array<string|int, mixed>
Parameters
- $mode : string = NULL
-
One of the REQUESTSECURITYLEVEL_* constants, specifying the checks that should be performed. If not NULL, these checks override the default security settings implicitly defined via the CS global options defined in the "CSSecurity.ini" file.
Tags
Return values
array<string|int, mixed> —An array containing the values of all fields transmitted during the GET request.
getSecuredURL()
public
static getSecuredURL(mixed $url) : mixed
Parameters
- $url : mixed
Tags
Return values
mixed —getSecuredURLParameter()
public
static getSecuredURLParameter(mixed $key, mixed $value[, mixed $returnOnlySecurityParameter = FALSE ]) : mixed
Parameters
- $key : mixed
- $value : mixed
- $returnOnlySecurityParameter : mixed = FALSE
Tags
Return values
mixed —getSecuredVariable()
This function gets elements from forms, and type them to a string.
public
static getSecuredVariable(mixed $elementName[, string $requestType = '' ][, mixed $defaultValue = '' ]) : string
Parameters
- $elementName : mixed
-
the name of the requested variable. Either a string or an array of strings, which should be tested, if the variable has not been defined in the previous elementNames
- $requestType : string = ''
-
the source of variable POST, GET, REQUEST or a empty string if all (REQUEST) should be searched.
- $defaultValue : mixed = ''
-
the returned value if the variable is not defined.
Tags
Return values
string —formatted data from the request
getSecurityHash()
Returns the global security hash for the current session.
public
static getSecurityHash() : string
Tags
Return values
string —The security hash.
getSecuritySetting()
public
static getSecuritySetting(mixed $key) : mixed
Parameters
- $key : mixed
Tags
Return values
mixed —getServerSecurityHash()
Returns a global security hash for the current server.
public
static getServerSecurityHash() : string
Tags
Return values
string —with the global security hash for the current server.
getSessionPath()
public
static getSessionPath() : mixed
Tags
Return values
mixed —getSqlVariable()
This function gets elements from forms, and type them to strings.
public
static getSqlVariable(mixed $elementName[, string $requestType = '' ][, mixed $defaultValue = '' ][, bool $addQuotes = TRUE ]) : string
As addslashes must be called to use the variables safe in queries this is done using this method. Further quotes are also automatically added before and after the variable.
Parameters
- $elementName : mixed
-
the name of the requested variable. Either a string or an array of strings, which should be tested, if the variable has not been defined in the previous elementNames
- $requestType : string = ''
-
the source of variable SESSION, COOKIE, POST, GET, REQUEST or a empty string if all (REQUEST and SESSION) should be searched. If SESSION is used, the session must be started before using sessionStart();
- $defaultValue : mixed = ''
-
the returned value if the variable is not defined.
- $addQuotes : bool = TRUE
-
whether quotes should be automatically added, if necessary
Tags
Return values
string —formatted data from the request
getStringVariable()
This function gets elements from forms, and type them to a string.
public
static getStringVariable(mixed $elementName[, string $requestType = '' ][, mixed $defaultValue = '' ][, bool $striptags = FALSE ]) : string
Parameters
- $elementName : mixed
-
the name of the requested variable. Either a string or an array of strings, which should be tested, if the variable has not been defined in the previous elementNames
- $requestType : string = ''
-
the source of variable SESSION, COOKIE, POST, GET, REQUEST or a empty string if all (REQUEST and SESSION) should be searched. If SESSION is used, the session must be started before using sessionStart();
- $defaultValue : mixed = ''
-
the returned value if the variable is not defined.
- $striptags : bool = FALSE
-
if this flag is set all html tags are automatically stripped
Tags
Return values
string —formatted data from the request
getTypedValue()
Converts a value to a given type.
public
static getTypedValue(mixed $data[, string $variableType = 'html' ][, bool $bThrowException = false ]) : mixed
Parameters
- $data : mixed
-
The data to cast.
- $variableType : string = 'html'
-
The type of the variable. (Warning: Not to be confused with PHP types!) List of valid type names: array, int, integer, double, float, email, file, subfolder, bool, boolean, checkbox, nohtml, htmlentities, htmlspecialchars, intlist, text, html, string, date, datetime. If an invalid type name is specified, the fallback type is "html" (== "string"), and an error message will be issued.
- $bThrowException : bool = false
-
If set to true, this method throws an exception if the an invalid variable type was passed. Otherwise only an error is shown.
Tags
Return values
mixed —The typed input value.
getUploadedFilesArray()
Returns an array of formatted $_FILES array.
public
static getUploadedFilesArray([string $sInputName = null ]) : array<string|int, mixed>
Parameters
- $sInputName : string = null
Tags
Return values
array<string|int, mixed> —getUploadedFilesAsApi()
Returns an array of CSUploadedFile objects representing uploaded files.
public
static getUploadedFilesAsApi([string $sInputName = null ][, string $sFileName = '' ][, string $sFilePrefix = '' ][, string $sUploadDir = '' ]) : array<string|int, CSUploadedFile>
Parameters
- $sInputName : string = null
- $sFileName : string = ''
- $sFilePrefix : string = ''
- $sUploadDir : string = ''
Tags
Return values
array<string|int, CSUploadedFile> —getUploadedFilesValues()
Returns the values of the FILES variables and performs security checks.
public
static getUploadedFilesValues([string $sMode = NULL ]) : array<string|int, mixed>
Parameters
- $sMode : string = NULL
-
One of the REQUESTSECURITYLEVEL_* constants, specifying the checks that should be performed. If not NULL, these checks override the default security settings implicitly defined via the CS global options defined in the "CSSecurity.ini" file.
Tags
Return values
array<string|int, mixed> —An array containing the FILES values.
getUploadRestrictedFileTypes()
Returns an array with the upload restricted file types.
public
static getUploadRestrictedFileTypes() : array<string|int, mixed>
Tags
Return values
array<string|int, mixed> —with the upload restricted file types.
getVariable()
This function gets elements from forms, check if magic quotes are on and add slashes if necessary.
public
static getVariable(mixed $elementName[, string|array<string|int, mixed> $requestType = '' ][, mixed $defaultValue = null ][, string $variableType = '' ][, string $pattern = null ][, bool $addslashes = false ]) : mixed
Further one can define the type of the variable which is expected.
Parameters
- $elementName : mixed
-
The name of the requested variable. Either a string or an array of strings, which should be tested if the variable has not been defined in the previous elementNames.
- $requestType : string|array<string|int, mixed> = ''
-
The source of variable (SESSION, COOKIE, POST, GET, REQUEST) or an empty string if both REQUEST and SESSION should be searched. If SESSION is used, the session must have been started prior to the call to this method using sessionStart(). If an array is given, the array is searched.
- $defaultValue : mixed = null
-
The returned value if the variable is not defined.
- $variableType : string = ''
-
The required type of variable (INT(INTEGER), DOUBLE(FLOAT), BOOLEAN, STRING [default], NOHTML (means no HTML Tags), ARRAY).
- $pattern : string = null
-
PCRE pattern without enclosing slashes (e.g. foo?[123]+). If the pattern is not matched, the default value will be returned.
- $addslashes : bool = false
-
Controls whether the magic quotes are automatically added or removed (regardless of the settings in the PHP.ini file).
Tags
Return values
mixed —The formatted data from the request.
getViolationLogPath()
Returns the path to the violation log
public
static getViolationLogPath() : string
Tags
Return values
string —getWriteRestrictedFileTypes()
Returns an array with the write restricted file types.
public
static getWriteRestrictedFileTypes() : array<string|int, mixed>
Tags
Return values
array<string|int, mixed> —with the write restricted file types.
getXssSecuredValue()
Checks the given value for any XSS vulnerabilities and removes these vulnerabilities.
public
static getXssSecuredValue(mixed $mValue) : mixed
Parameters
- $mValue : mixed
Tags
Return values
mixed —init()
Initialize the security.
public
static init() : mixed
Tags
Return values
mixed —isCreationAllowedForFileType()
This method defines whether a specific file type may be created in CONTENTSERV through the UI. This is important for file operations in MAM, so dangerous file extensions can be forbidden (like PHP).
public
static isCreationAllowedForFileType(string $sFileType) : bool
Parameters
- $sFileType : string
-
The file type to be checked, whether a user in CS is allowed to create it.
Tags
Return values
bool —TRUE, if the file can be created in the UI, otherwise FALSE.
isErrorLogBacktraceEnabled()
Returns a bool value indicating whether the PHP error log backtrace is enabled for debug.
public
static isErrorLogBacktraceEnabled() : bool
When enabled, a human readable backtrace will be generated and added to the PHP error log whenever an error or warning is caught. This setting is controlled via the "debug_php_error_log_backtrace" key in "CSSecurity.ini".
Tags
Return values
bool —isFileUploadAllowed()
Checks if file upload is allowed.
public
static isFileUploadAllowed() : bool
Checking PHP_INI and CS Security.
Tags
Return values
bool —isSosMode()
public
static isSosMode() : mixed
Tags
Return values
mixed —isUploadAllowedForFileTypeToFolder()
Checks if the given file type is allowed to be uploaded to given upload folder.
public
static isUploadAllowedForFileTypeToFolder(string $sFileType[, string $sUploadFolderPath = '' ]) : bool
Parameters
- $sFileType : string
-
The file type to check
- $sUploadFolderPath : string = ''
-
Path to an upload folder to check.
Tags
Return values
bool —TRUE, if the file type is allowed to be uploaded in given folder otherwise FALSE.
isValidFieldValueForDefaultField()
Checks if the given field name and it value are of valid type which is defined on the given Record object.
public
static isValidFieldValueForDefaultField(Record $oRecord, string $sFieldName, mixed $mFieldValue) : bool
Can be used to prevent any possible SQL Injection.
Parameters
- $oRecord : Record
-
A Record object for which the given FieldName should be checked
- $sFieldName : string
-
A FieldName which should be checked
- $mFieldValue : mixed
-
A FieldName value which should be checked
Tags
Return values
bool —Whenever the given FieldName and FieldValue are valid of the given Record
mayWritePHPFiles()
Checks whether the security settings allow to write or modify php code or files
public
static mayWritePHPFiles() : bool
Tags
Return values
bool —TRUE if allowed
overwriteVariable()
This function stores values in the global variables for the current request, which can be received again using the get*Variable() methods.
public
static overwriteVariable(mixed $elementName, mixed $newValue[, string $requestType = '' ][, bool $overwriteOnlyIfAlreadySet = false ]) : void
Parameters
- $elementName : mixed
-
The name of the requested variable. Either a string or an array of strings, which should be tested, if the variable has not been defined in the previous elementNames.
- $newValue : mixed
-
The value which should overwrite the original value.
- $requestType : string = ''
-
The source of variable (SESSION, COOKIE, POST, GET, REQUEST) or an empty string if both REQUEST and SESSION should be searched. If SESSION is used, the session must have been started prior to the call to this method using sessionStart().
- $overwriteOnlyIfAlreadySet : bool = false
-
If this flag is set, the variable is checked whether it is already set. In this case, only existing requests are overwritten. If the requestType is REQUEST or empty, the $_COOKIE or $_SESSION will never be added, even if this flag is set to TRUE. If this is required, the setVariable() method has to be called again with the request type SESSION or COOKIE.
Tags
Return values
void —prepareInclude()
Prepares the inclusion of a file in the security XML validation.
public
static prepareInclude(string $includeFile[, string $context = 'forward' ][, bool $debugMode = false ]) : void
Parameters
- $includeFile : string
-
The file path, which should be included in the security XML validation
- $context : string = 'forward'
-
The current context for the security XML validation.
- $debugMode : bool = false
-
If the debug mode should be activated or not.
Tags
Return values
void —quote()
This function quotes a value to be used as value in an SQL query. This should be used to avoid SQL injections.
public
static quote(mixed $value) : string
Parameters
- $value : mixed
-
The value which should be quoted. It can either be a string, a numeric value or NULL.
Tags
Return values
string —The quoted value.
removeMagickQuotes()
This method removes the "magic quotes" from the POST, GET or REQUEST array.If "magic quotes" are activated.
public
static removeMagickQuotes(array<string|int, mixed> $array) : array<string|int, mixed>
Parameters
- $array : array<string|int, mixed>
-
The request array to modify.
Tags
Return values
array<string|int, mixed> —If "magic quotes" are activated, they are removed from the input array's values. Otherwise, the input array is returned unchanged.
setPostBody()
This function will reset the $_POST array and adds the content of the http-body as BODY into the $_POST array CAUTION: This method needs to be called BEFORE self::_prepareInclude() method is called. Otherwise it won't work.
public
static setPostBody(string $sBodyContent) : void
Parameters
- $sBodyContent : string
-
The content sent in the body
Tags
Return values
void —setSecuritySetting()
public
static setSecuritySetting(mixed $key, mixed $value) : mixed
Parameters
- $key : mixed
- $value : mixed
Tags
Return values
mixed —validateAsAdminFile()
This function makes sure the given file resides within the "admin" directory hierarchy.
public
static validateAsAdminFile(string $file) : bool
Parameters
- $file : string
-
The file path to be checked.
Tags
Return values
bool —Returns true if the given file is within the admin folder, otherwise it throws an exception.
validateAsAdminLocalFile()
This function makes sure the given file resides within the "admin.local" directory hierarchy.
public
static validateAsAdminLocalFile(string $file) : bool
Parameters
- $file : string
-
The file path to be checked.
Tags
Return values
bool —Returns true if the file is within admin.local, otherwise throws an exception.
validateAsCSFile()
This function makes sure the given file is contained within the CONTENTSERV directory hierarchy.
public
static validateAsCSFile(string $file) : bool
Parameters
- $file : string
-
The file path to be checked.
Tags
Return values
bool —Returns true if it is a CS file, otherwise throws an exception.
validateAsLocalFile()
This function makes sure the given file is not a URL, normally to avoid the inclusion of off-site scripts.
public
static validateAsLocalFile(string $file) : bool
Parameters
- $file : string
-
The file link to be checked.
Tags
Return values
bool —Returns true if the file is a local file, otherwise throws an exception.
validateAsNonSensibleFileForInclude()
This function makes sure that the requested file is not sensible like config.php, CSSecurity files and .htaccess
public
static validateAsNonSensibleFileForInclude(string $file[, bool $bCheckFileType = true ]) : bool
Parameters
- $file : string
-
The file path to be checked.
- $bCheckFileType : bool = true
-
If set to true, only php*, htm*, csi and cst files will be allowed to include
Tags
Return values
bool —TRUE, if the file is contained within the CONTENTSERV directory, dies an exception is thrown.
validateAsProjectFile()
This function makes sure the given file is contained within the current project directory hierarchy.
public
static validateAsProjectFile(string $file[, int $iValidationType = self::VALIDATION_PROJECT_TYPE_ALL ]) : bool
Parameters
- $file : string
-
The file path to be checked.
- $iValidationType : int = self::VALIDATION_PROJECT_TYPE_ALL
-
The validation type to check the project file.
Tags
Return values
bool —Return true if it is a project file, otherwise it throws an exception.
validateAsProjectName()
This function makes sure the given project name is valid.
public
static validateAsProjectName(string $ctsWebsite) : bool
Parameters
- $ctsWebsite : string
-
The project to be checked.
Tags
Return values
bool —Returns true if the given project name is valid, otherwise throws an exception.
validateAsRelativePath()
This function makes sure the given path is not an absolute path.
public
static validateAsRelativePath(string $path) : bool
Parameters
- $path : string
-
The path to be checked.
Tags
Return values
bool —Returns true if the given file path is a relative path, otherwise throws an exception.
validateAsSafeExternalFile()
Validates if the given filepath is a safe external file.
public
static validateAsSafeExternalFile(string $sFilePath[, bool $bThrowError = true ]) : bool
Parameters
- $sFilePath : string
-
The path to the file, which should be validated.
- $bThrowError : bool = true
-
Whether an exception should be thrown or not.
Tags
Return values
bool —validateAsSecurityFile()
Validates a given security file path whether it can be used.
public
static validateAsSecurityFile(string $sSecurityFilePath) : bool
Parameters
- $sSecurityFilePath : string
Tags
Return values
bool —whether the given security file path is valid and can be used.