1: <?php
2: /**
3: * This file contains the the security class.
4: *
5: * @package Core
6: * @subpackage Security
7: * @author Frederic Schneider
8: * @copyright four for business AG <www.4fb.de>
9: * @license http://www.contenido.org/license/LIZENZ.txt
10: * @link http://www.4fb.de
11: * @link http://www.contenido.org
12: */
13:
14: defined('CON_FRAMEWORK') || die('Illegal call: Missing framework initialization - request aborted.');
15:
16: /**
17: * This object makes CONTENIDO more secure.
18: *
19: * @package Core
20: * @subpackage Security
21: */
22: class cSecurity {
23: /**
24: * Checks some CONTENIDO core related request parameters against XSS.
25: *
26: * @return bool
27: * True on success otherwise nothing.
28: *
29: * @throws cInvalidArgumentException
30: */
31: public static function checkRequests() {
32: $requestValidator = cRequestValidator::getInstance();
33:
34: return $requestValidator->checkParams();
35: }
36:
37: /**
38: * Escapes string using CONTENIDO urlencoding method and escapes string for inserting.
39: *
40: * @param string $sString
41: * Input string
42: * @param cDb $oDb
43: * CONTENIDO database object
44: * @return string
45: * Filtered string
46: */
47: public static function filter($sString, $oDb) {
48: $sString = self::toString($sString);
49: if (defined('CON_STRIPSLASHES')) {
50: $sString = stripslashes($sString);
51: }
52: return self::escapeDB(conHtmlSpecialChars($sString), $oDb, false);
53: }
54:
55: /**
56: * Reverts effect of method filter().
57: *
58: * @param string $sString
59: * Input string
60: * @return string
61: * Unfiltered string
62: */
63: public static function unFilter($sString) {
64: $sString = self::toString($sString);
65: return htmldecode(self::unescapeDB($sString));
66: }
67:
68: /**
69: * Check: Has the variable an bool value?
70: *
71: * @param string $sVar
72: * Input string
73: * @return bool
74: * Check state
75: */
76: public static function isBoolean($sVar) {
77: $sTempVar = $sVar;
78: $sTemp2Var = self::toBoolean($sVar);
79: return $sTempVar === $sTemp2Var;
80: }
81:
82: /**
83: * Check: Is the variable an integer?
84: *
85: * @param string $sVar
86: * Input string
87: * @return bool
88: * Check state
89: */
90: public static function isInteger($sVar) {
91: return preg_match('/^[0-9]+$/', $sVar);
92: }
93:
94: /**
95: * Check: Is the variable an string?
96: *
97: * @param string $sVar
98: * Input string
99: * @return bool
100: * Check state
101: */
102: public static function isString($sVar) {
103: return is_string($sVar);
104: }
105:
106: /**
107: * Convert an string to an bool.
108: *
109: * @param string $sString
110: * Input string
111: * @return bool
112: * Type casted input string
113: */
114: public static function toBoolean($sString) {
115: return (bool) $sString;
116: }
117:
118: /**
119: * Convert an string to an integer.
120: *
121: * @param string $sString
122: * Input string
123: * @return int
124: * Type casted input string
125: */
126: public static function toInteger($sString) {
127: return (int) $sString;
128: }
129:
130: /**
131: * Convert an string.
132: *
133: * @param string $sString
134: * Input string
135: * @param bool $bHTML [optional]
136: * If true check with strip_tags and stripslashes
137: * @param string $sAllowableTags [optional]
138: * Allowable tags if $bHTML is true
139: * @return string
140: * Converted string
141: */
142: public static function toString($sString, $bHTML = false, $sAllowableTags = '') {
143: $sString = (string) $sString;
144: if ($bHTML == true) {
145: $sString = strip_tags(stripslashes($sString), $sAllowableTags);
146: }
147: return $sString;
148: }
149:
150: /**
151: * Escaped an query-string with mysql_real_escape_string.
152: *
153: * @param string $sString
154: * Input string
155: * @param cDb $oDB
156: * CONTENIDO database object
157: * @param bool $bUndoAddSlashes [optional; default: true]
158: * Flag for undo addslashes
159: * @return string
160: * Converted string
161: */
162: public static function escapeDB($sString, $oDB, $bUndoAddSlashes = true) {
163: if (!is_object($oDB)) {
164: return self::escapeString($sString);
165: } else {
166: if (defined('CON_STRIPSLASHES') && $bUndoAddSlashes == true) {
167: $sString = stripslashes($sString);
168: }
169: return $oDB->escape($sString);
170: }
171: }
172:
173: /**
174: * Escaped an query-string with addslashes.
175: *
176: * @param string $sString
177: * Input string
178: * @return string
179: * Converted string
180: */
181: public static function escapeString($sString) {
182: $sString = (string) $sString;
183: if (defined('CON_STRIPSLASHES')) {
184: $sString = stripslashes($sString);
185: }
186: return addslashes($sString);
187: }
188:
189: /**
190: * Un-quote string quoted with escapeDB().
191: *
192: * @param string $sString
193: * Input string
194: * @return string
195: * Converted string
196: */
197: public static function unescapeDB($sString) {
198: return stripslashes($sString);
199: }
200:
201: }
202: