Documentation

Security
in package
Uses BackwardCompatibility

A collection of miscellaneous methods related to forum security.

Table of Contents

Properties

$backcompat  : array<string|int, mixed>

Methods

checkConfirm()  : bool|string
Check if a specific confirm parameter was given.
checkSubmitOnce()  : null|bool
Check whether a form has been submitted twice.
corsPolicyHeader()  : void
This sets the Access-Control-Allow-Origin header.
exportStatic()  : void
Provides a way to export a class's public static properties and methods to global namespace.
frameOptionsHeader()  : mixed
This sets the X-Frame-Options header.
hashBenchmark()  : int
Benchmarks the server to figure out an appropriate cost factor (minimum 9)
hashPassword()  : string
Hashes username with password
hashVerifyPassword()  : bool
Verifies a raw SMF password against the bcrypt'd string
kickGuest()  : void
Backward compatibility wrapper for User::$me->kickIfGuest().
secureDirectory()  : bool|array<string|int, mixed>
A generic function to create a pair of index.php and .htaccess files in a directory
spamProtection()  : bool
This function attempts to protect from spammed messages and the like.

Properties

$backcompat

private static array<string|int, mixed> $backcompat = ['func_names' => ['hashPassword' => 'hash_password', 'hashVerifyPassword' => 'hash_verify_password', 'hashBenchmark' => 'hash_benchmark', 'checkConfirm' => 'checkConfirm', 'checkSubmitOnce' => 'checkSubmitOnce', 'spamProtection' => 'spamProtection', 'secureDirectory' => 'secureDirectory', 'frameOptionsHeader' => 'frameOptionsHeader', 'corsPolicyHeader' => 'corsPolicyHeader', 'kickGuest' => 'KickGuest']]

BackwardCompatibility settings for this class.

Methods

checkConfirm()

Check if a specific confirm parameter was given.

public static checkConfirm(string $action) : bool|string
Parameters
$action : string

The action we want to check against.

Return values
bool|string

True if the check passed. Otherwise a token string.

checkSubmitOnce()

Check whether a form has been submitted twice.

public static checkSubmitOnce(string $action[, bool $is_fatal = true ]) : null|bool
  • Registers a sequence number for a form.
  • Checks whether a submitted sequence number is registered in the current session.
  • Frees a sequence number from the stack after it's been checked.
  • Frees a sequence number without checking if $action == 'free'.
  • If $action == 'check', returns a value. If the check passes, returns true. Otherwise, it either shows an error if $is_fatal == true, or else just returns false.
  • If an invalid $action is passed, triggers an error.
Parameters
$action : string

The action. Can be 'register', 'check', or 'free'.

$is_fatal : bool = true

Whether to die with a fatal error. Only used when $action == 'check'.

Return values
null|bool

If $action == 'check', returns whether the check was successful. Otherwise, returns null.

corsPolicyHeader()

This sets the Access-Control-Allow-Origin header.

public static corsPolicyHeader([bool $set_header = true ]) : void
Parameters
$set_header : bool = true

When false, we will do the logic, but not send the headers. The relevant logic is still saved in Utils::$context and can be sent manually. Default: true.

Tags
link
https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
since
2.1

exportStatic()

Provides a way to export a class's public static properties and methods to global namespace.

public static exportStatic() : void

To do so:

  1. Use this trait in the class.
  2. At the END of the class's file, call its exportStatic() method.

Although it might not seem that way at first glance, this approach conforms to section 2.3 of PSR 1, since executing this method is simply a dynamic means of declaring functions when the file is included; it has no other side effects.

Regarding the $backcompat items:

A class's static properties are not exported to global variables unless explicitly included in $backcompat['prop_names']. Likewise, a class's static methods are not exported as global functions unless explicitly included in $backcompat['func_names'].

$backcompat['prop_names'] is a simple array where the keys are the names of one or more of a class's static properties, and the values are the names of global variables. In each case, the global variable will be set to a reference to the static property. Static properties that are not named in this array will not be exported.

$backcompat['func_names'] is a simple array where the keys are the names of one or more of a class's static methods, and the values are the names that should be used for global functions that will encapsulate those methods. Methods that are not named in this array will not be exported.

Adding non-static properties or methods to the $backcompat arrays will produce runtime errors. It is the responsibility of the developer to make sure not to do this.

frameOptionsHeader()

This sets the X-Frame-Options header.

public static frameOptionsHeader([string $override = null ]) : mixed
Parameters
$override : string = null

An option to override (either 'SAMEORIGIN' or 'DENY')

Tags
since
2.1

hashBenchmark()

Benchmarks the server to figure out an appropriate cost factor (minimum 9)

public static hashBenchmark([float $hashTime = 0.2 ]) : int
Parameters
$hashTime : float = 0.2

Time to target, in seconds

Return values
int

The cost

hashPassword()

Hashes username with password

public static hashPassword(string $username, string $password[, int $cost = null ]) : string
Parameters
$username : string

The username

$password : string

The unhashed password

$cost : int = null

The cost

Return values
string

The hashed password

hashVerifyPassword()

Verifies a raw SMF password against the bcrypt'd string

public static hashVerifyPassword(string $username, string $password, string $hash) : bool
Parameters
$username : string

The username

$password : string

The password

$hash : string

The hashed string

Return values
bool

Whether the hashed password matches the string

kickGuest()

Backward compatibility wrapper for User::$me->kickIfGuest().

public static kickGuest() : void

secureDirectory()

A generic function to create a pair of index.php and .htaccess files in a directory

public static secureDirectory(string|array<string|int, mixed> $paths[, bool $attachments = false ]) : bool|array<string|int, mixed>
Parameters
$paths : string|array<string|int, mixed>

The (absolute) directory path(s).

$attachments : bool = false

Whether this is an attachment directory.

Return values
bool|array<string|int, mixed>

True on success, or an array of errors on failure.

spamProtection()

This function attempts to protect from spammed messages and the like.

public static spamProtection(string $error_type[, bool $only_return_result = false ]) : bool

The time required between actions depends on $error_type. If there is no specific time requirement for the $error_type, the time required will just be Config::$modSettings['spamWaitTime'].

Parameters
$error_type : string

The error type. Also used as a Lang::$txt key.

$only_return_result : bool = false

Whether you want the function to die with a fatal_lang_error.

Return values
bool

Whether they've posted within the limit.


        

        
    




    

    

                                

                

                                
    

        On this page

        
    


                

                            

            

    

        

            
Search results