1: <?php
  2: /**
  3:  * This file contains the the security class.
  4:  *
  5:  * @package    Core
  6:  * @subpackage Security
  7:  * @version    SVN Revision $Rev:$
  8:  *
  9:  * @author     Frederic Schneider
 10:  * @copyright  four for business AG <www.4fb.de>
 11:  * @license    http://www.contenido.org/license/LIZENZ.txt
 12:  * @link       http://www.4fb.de
 13:  * @link       http://www.contenido.org
 14:  */
 15: 
 16: defined('CON_FRAMEWORK') || die('Illegal call: Missing framework initialization - request aborted.');
 17: 
 18: /**
 19:  * This object makes CONTENIDO more secure
 20:  *
 21:  * @package    Core
 22:  * @subpackage Security
 23:  */
 24: class cSecurity {
 25: 
 26:     /**
 27:      * Checks some CONTENIDO core related request parameters against XSS
 28:      *
 29:      * @return  bool  True on success otherwhise nothing.
 30:      */
 31:     public static function checkRequests() {
 32:         $requestValidator = cRequestValidator::getInstance();
 33: 
 34:         return $requestValidator->checkParams();
 35:     }
 36: 
 37:     /**
 38:      * Escapes string using CONTENIDO urlencoding method and escapes string for inserting
 39:      *
 40:      * @param   string        $sString  Input string
 41:      * @param   cDb  $oDb      CONTENIDO database object
 42:      * @return  string   Filtered string
 43:      */
 44:     public static function filter($sString, $oDb) {
 45:         $sString = self::toString($sString);
 46:         if (defined('CON_STRIPSLASHES')) {
 47:             $sString = stripslashes($sString);
 48:         }
 49:         return self::escapeDB(conHtmlSpecialChars($sString), $oDb, false);
 50:     }
 51: 
 52:     /**
 53:      * Reverts effect of method filter()
 54:      *
 55:      * @param   string  $sString  Input string
 56:      * @return  string  Unfiltered string
 57:      */
 58:     public static function unFilter($sString) {
 59:         $sString = self::toString($sString);
 60:         return htmldecode(self::unEscapeDB($sString));
 61:     }
 62: 
 63:     /**
 64:      * Check: Has the variable an boolean value?
 65:      *
 66:      * @param   string   $sVar  Input string
 67:      * @return  boolean  Check state
 68:      */
 69:     public static function isBoolean($sVar) {
 70:         $sTempVar = $sVar;
 71:         $sTemp2Var = self::toBoolean($sVar);
 72:         return ($sTempVar === $sTemp2Var);
 73:     }
 74: 
 75:     /**
 76:      * Check: Is the variable an integer?
 77:      *
 78:      * @param   string   $sVar  Input string
 79:      * @return  boolean  Check state
 80:      */
 81:     public static function isInteger($sVar) {
 82:         return (preg_match('/^[0-9]+$/', $sVar));
 83:     }
 84: 
 85:     /**
 86:      * Check: Is the variable an string?
 87:      *
 88:      * @param   string   $sVar  Input string
 89:      * @return  boolean  Check state
 90:      */
 91:     public static function isString($sVar) {
 92:         return (is_string($sVar));
 93:     }
 94: 
 95:     /**
 96:      * Convert an string to an boolean
 97:      *
 98:      * @param   string   $sString   Input string
 99:      * @return  boolean  Type casted input string
100:      */
101:     public static function toBoolean($sString) {
102:         return (bool) $sString;
103:     }
104: 
105:     /**
106:      * Convert an string to an integer
107:      *
108:      * @param   string   $sString   Input string
109:      * @return  integer  Type casted input string
110:      */
111:     public static function toInteger($sString) {
112:         return (int) $sString;
113:     }
114: 
115:     /**
116:      * Convert an string
117:      *
118:      * @param   string   $sString         Input string
119:      * @param   boolean  $bHTML           If true check with strip_tags and stripslashes
120:      * @param   string   $sAllowableTags  Allowable tags if $bHTML is true
121:      * @return  string  Converted string
122:      */
123:     public static function toString($sString, $bHTML = false, $sAllowableTags = '') {
124:         $sString = (string) $sString;
125:         if ($bHTML == true) {
126:             $sString = strip_tags(stripslashes($sString), $sAllowableTags);
127:         }
128:         return $sString;
129:     }
130: 
131:     /**
132:      * Escaped an query-string with mysql_real_escape_string
133:      *
134:      * @param   string        $sString          Input string
135:      * @param   cDb  $oDB              CONTENIDO database object
136:      * @param   boolean       $bUndoAddSlashes  Flag for undo addslashes (optional, default: true)
137:      * @return  string  Converted string
138:      */
139:     public static function escapeDB($sString, $oDB, $bUndoAddSlashes = true) {
140:         if (!is_object($oDB)) {
141:             return self::escapeString($sString);
142:         } else {
143:             if (defined('CON_STRIPSLASHES') && $bUndoAddSlashes == true) {
144:                 $sString = stripslashes($sString);
145:             }
146:             return $oDB->escape($sString);
147:         }
148:     }
149: 
150:     /**
151:      * Escaped an query-string with addslashes
152:      *
153:      * @param   string  $sString  Input string
154:      * @return  string  Converted string
155:      */
156:     public static function escapeString($sString) {
157:         $sString = (string) $sString;
158:         if (defined('CON_STRIPSLASHES')) {
159:             $sString = stripslashes($sString);
160:         }
161:         return addslashes($sString);
162:     }
163: 
164:     /**
165:      * Un-quote string quoted with escapeDB()
166:      *
167:      * @param   string  $sString  Input string
168:      * @return  string  Converted string
169:      */
170:     public static function unescapeDB($sString) {
171:         return stripslashes($sString);
172:     }
173: 
174: }
175: