1: <?php
2: /**
3: * This file contains the the security class.
4: *
5: * @package Core
6: * @subpackage Security
7: * @author Frederic Schneider
8: * @copyright four for business AG <www.4fb.de>
9: * @license http://www.contenido.org/license/LIZENZ.txt
10: * @link http://www.4fb.de
11: * @link http://www.contenido.org
12: */
13:
14: defined('CON_FRAMEWORK') || die('Illegal call: Missing framework initialization - request aborted.');
15:
16: /**
17: * This object makes CONTENIDO more secure.
18: *
19: * @package Core
20: * @subpackage Security
21: */
22: class cSecurity {
23:
24: /**
25: * Checks some CONTENIDO core related request parameters against XSS.
26: *
27: * @return bool
28: * True on success otherwise nothing.
29: */
30: public static function checkRequests() {
31: $requestValidator = cRequestValidator::getInstance();
32:
33: return $requestValidator->checkParams();
34: }
35:
36: /**
37: * Escapes string using CONTENIDO urlencoding method and escapes string for inserting.
38: *
39: * @param string $sString
40: * Input string
41: * @param cDb $oDb
42: * CONTENIDO database object
43: * @return string
44: * Filtered string
45: */
46: public static function filter($sString, $oDb) {
47: $sString = self::toString($sString);
48: if (defined('CON_STRIPSLASHES')) {
49: $sString = stripslashes($sString);
50: }
51: return self::escapeDB(conHtmlSpecialChars($sString), $oDb, false);
52: }
53:
54: /**
55: * Reverts effect of method filter().
56: *
57: * @param string $sString
58: * Input string
59: * @return string
60: * Unfiltered string
61: */
62: public static function unFilter($sString) {
63: $sString = self::toString($sString);
64: return htmldecode(self::unescapeDB($sString));
65: }
66:
67: /**
68: * Check: Has the variable an bool value?
69: *
70: * @param string $sVar
71: * Input string
72: * @return bool
73: * Check state
74: */
75: public static function isBoolean($sVar) {
76: $sTempVar = $sVar;
77: $sTemp2Var = self::toBoolean($sVar);
78: return $sTempVar === $sTemp2Var;
79: }
80:
81: /**
82: * Check: Is the variable an integer?
83: *
84: * @param string $sVar
85: * Input string
86: * @return bool
87: * Check state
88: */
89: public static function isInteger($sVar) {
90: return preg_match('/^[0-9]+$/', $sVar);
91: }
92:
93: /**
94: * Check: Is the variable an string?
95: *
96: * @param string $sVar
97: * Input string
98: * @return bool
99: * Check state
100: */
101: public static function isString($sVar) {
102: return is_string($sVar);
103: }
104:
105: /**
106: * Convert an string to an bool.
107: *
108: * @param string $sString
109: * Input string
110: * @return bool
111: * Type casted input string
112: */
113: public static function toBoolean($sString) {
114: return (bool) $sString;
115: }
116:
117: /**
118: * Convert an string to an integer.
119: *
120: * @param string $sString
121: * Input string
122: * @return int
123: * Type casted input string
124: */
125: public static function toInteger($sString) {
126: return (int) $sString;
127: }
128:
129: /**
130: * Convert an string.
131: *
132: * @param string $sString
133: * Input string
134: * @param bool $bHTML [optional]
135: * If true check with strip_tags and stripslashes
136: * @param string $sAllowableTags [optional]
137: * Allowable tags if $bHTML is true
138: * @return string
139: * Converted string
140: */
141: public static function toString($sString, $bHTML = false, $sAllowableTags = '') {
142: $sString = (string) $sString;
143: if ($bHTML == true) {
144: $sString = strip_tags(stripslashes($sString), $sAllowableTags);
145: }
146: return $sString;
147: }
148:
149: /**
150: * Escaped an query-string with mysql_real_escape_string.
151: *
152: * @param string $sString
153: * Input string
154: * @param cDb $oDB
155: * CONTENIDO database object
156: * @param bool $bUndoAddSlashes [optional; default: true]
157: * Flag for undo addslashes
158: * @return string
159: * Converted string
160: */
161: public static function escapeDB($sString, $oDB, $bUndoAddSlashes = true) {
162: if (!is_object($oDB)) {
163: return self::escapeString($sString);
164: } else {
165: if (defined('CON_STRIPSLASHES') && $bUndoAddSlashes == true) {
166: $sString = stripslashes($sString);
167: }
168: return $oDB->escape($sString);
169: }
170: }
171:
172: /**
173: * Escaped an query-string with addslashes.
174: *
175: * @param string $sString
176: * Input string
177: * @return string
178: * Converted string
179: */
180: public static function escapeString($sString) {
181: $sString = (string) $sString;
182: if (defined('CON_STRIPSLASHES')) {
183: $sString = stripslashes($sString);
184: }
185: return addslashes($sString);
186: }
187:
188: /**
189: * Un-quote string quoted with escapeDB().
190: *
191: * @param string $sString
192: * Input string
193: * @return string
194: * Converted string
195: */
196: public static function unescapeDB($sString) {
197: return stripslashes($sString);
198: }
199:
200: }
201: