1: <?php
2: /**
3: * This file contains the the security class.
4: *
5: * @package Core
6: * @subpackage Security
7: * @version SVN Revision $Rev:$
8: *
9: * @author Frederic Schneider
10: * @copyright four for business AG <www.4fb.de>
11: * @license http://www.contenido.org/license/LIZENZ.txt
12: * @link http://www.4fb.de
13: * @link http://www.contenido.org
14: */
15:
16: defined('CON_FRAMEWORK') || die('Illegal call: Missing framework initialization - request aborted.');
17:
18: /**
19: * This object makes CONTENIDO more secure
20: *
21: * @package Core
22: * @subpackage Security
23: */
24: class cSecurity {
25:
26: /**
27: * Checks some CONTENIDO core related request parameters against XSS
28: *
29: * @return bool
30: * True on success otherwise nothing.
31: */
32: public static function checkRequests() {
33: $requestValidator = cRequestValidator::getInstance();
34:
35: return $requestValidator->checkParams();
36: }
37:
38: /**
39: * Escapes string using CONTENIDO urlencoding method and escapes string for inserting
40: *
41: * @param string $sString
42: * Input string
43: * @param cDb $oDb
44: * CONTENIDO database object
45: * @return string
46: * Filtered string
47: */
48: public static function filter($sString, $oDb) {
49: $sString = self::toString($sString);
50: if (defined('CON_STRIPSLASHES')) {
51: $sString = stripslashes($sString);
52: }
53: return self::escapeDB(conHtmlSpecialChars($sString), $oDb, false);
54: }
55:
56: /**
57: * Reverts effect of method filter()
58: *
59: * @param string $sString
60: * Input string
61: * @return string
62: * Unfiltered string
63: */
64: public static function unFilter($sString) {
65: $sString = self::toString($sString);
66: return htmldecode(self::unEscapeDB($sString));
67: }
68:
69: /**
70: * Check: Has the variable an bool value?
71: *
72: * @param string $sVar
73: * Input string
74: * @return bool
75: * Check state
76: */
77: public static function isBoolean($sVar) {
78: $sTempVar = $sVar;
79: $sTemp2Var = self::toBoolean($sVar);
80: return $sTempVar === $sTemp2Var;
81: }
82:
83: /**
84: * Check: Is the variable an integer?
85: *
86: * @param string $sVar
87: * Input string
88: * @return bool
89: * Check state
90: */
91: public static function isInteger($sVar) {
92: return preg_match('/^[0-9]+$/', $sVar);
93: }
94:
95: /**
96: * Check: Is the variable an string?
97: *
98: * @param string $sVar
99: * Input string
100: * @return bool
101: * Check state
102: */
103: public static function isString($sVar) {
104: return is_string($sVar);
105: }
106:
107: /**
108: * Convert an string to an bool
109: *
110: * @param string $sString
111: * Input string
112: * @return bool
113: * Type casted input string
114: */
115: public static function toBoolean($sString) {
116: return (bool) $sString;
117: }
118:
119: /**
120: * Convert an string to an integer
121: *
122: * @param string $sString
123: * Input string
124: * @return int
125: * Type casted input string
126: */
127: public static function toInteger($sString) {
128: return (int) $sString;
129: }
130:
131: /**
132: * Convert an string
133: *
134: * @param string $sString
135: * Input string
136: * @param bool $bHTML [optional]
137: * If true check with strip_tags and stripslashes
138: * @param string $sAllowableTags [optional]
139: * Allowable tags if $bHTML is true
140: * @return string
141: * Converted string
142: */
143: public static function toString($sString, $bHTML = false, $sAllowableTags = '') {
144: $sString = (string) $sString;
145: if ($bHTML == true) {
146: $sString = strip_tags(stripslashes($sString), $sAllowableTags);
147: }
148: return $sString;
149: }
150:
151: /**
152: * Escaped an query-string with mysql_real_escape_string
153: *
154: * @param string $sString
155: * Input string
156: * @param cDb $oDB
157: * CONTENIDO database object
158: * @param bool $bUndoAddSlashes [optional; default: true]
159: * Flag for undo addslashes
160: * @return string
161: * Converted string
162: */
163: public static function escapeDB($sString, $oDB, $bUndoAddSlashes = true) {
164: if (!is_object($oDB)) {
165: return self::escapeString($sString);
166: } else {
167: if (defined('CON_STRIPSLASHES') && $bUndoAddSlashes == true) {
168: $sString = stripslashes($sString);
169: }
170: return $oDB->escape($sString);
171: }
172: }
173:
174: /**
175: * Escaped an query-string with addslashes
176: *
177: * @param string $sString
178: * Input string
179: * @return string
180: * Converted string
181: */
182: public static function escapeString($sString) {
183: $sString = (string) $sString;
184: if (defined('CON_STRIPSLASHES')) {
185: $sString = stripslashes($sString);
186: }
187: return addslashes($sString);
188: }
189:
190: /**
191: * Un-quote string quoted with escapeDB()
192: *
193: * @param string $sString
194: * Input string
195: * @return string
196: * Converted string
197: */
198: public static function unescapeDB($sString) {
199: return stripslashes($sString);
200: }
201:
202: }
203: