rules('csrf', array( * 'not_empty' => NULL, * 'Security::check' => NULL, * )); * * This provides a basic, but effective, method of preventing CSRF attacks. * * @param boolean $new force a new token to be generated? * @return string * @uses Session::instance */ public static function token($new = FALSE) { $session = Session::instance(); // Get the current token $token = $session->get(Security::$token_name); if ($new === TRUE OR ! $token) { // Generate a new unique token if (function_exists('openssl_random_pseudo_bytes')) { // Generate a random pseudo bytes token if openssl_random_pseudo_bytes is available // This is more secure than uniqid, because uniqid relies on microtime, which is predictable $token = base64_encode(openssl_random_pseudo_bytes(32)); } else { // Otherwise, fall back to a hashed uniqid $token = sha1(uniqid(NULL, TRUE)); } // Store the new token $session->set(Security::$token_name, $token); } return $token; } /** * Check that the given token matches the currently stored security token. * * if (Security::check($token)) * { * // Pass * } * * @param string $token token to check * @return boolean * @uses Security::token */ public static function check($token) { return Security::token() === $token; } /** * Remove image tags from a string. * * $str = Security::strip_image_tags($str); * * @param string $str string to sanitize * @return string */ public static function strip_image_tags($str) { return preg_replace('#\s]*)["\']?[^>]*)?>#is', '$1', $str); } /** * Encodes PHP tags in a string. * * $str = Security::encode_php_tags($str); * * @param string $str string to sanitize * @return string */ public static function encode_php_tags($str) { return str_replace(array(''), array('<?', '?>'), $str); } }