Skip to content

Class Phalcon\Security

implements Phalcon\Di\InjectionAwareInterface

Source on GitHub

This component provides a set of functions to improve the security in Phalcon applications

<?php

$login    = $this->request->getPost("login");
$password = $this->request->getPost("password");

$user = Users::findFirstByLogin($login);

if ($user) {
    if ($this->security->checkHash($password, $user->password)) {
        // The password is valid
    }
}

Constants

integer CRYPT_DEFAULT

integer CRYPT_STD_DES

integer CRYPT_EXT_DES

integer CRYPT_MD5

integer CRYPT_BLOWFISH

integer CRYPT_BLOWFISH_A

integer CRYPT_BLOWFISH_X

integer CRYPT_BLOWFISH_Y

integer CRYPT_SHA256

integer CRYPT_SHA512

Methods

public setWorkFactor (mixed $workFactor)

...

public getWorkFactor ()

...

public __construct ()

Phalcon\Security constructor

public setDI (Phalcon\DiInterface $dependencyInjector)

Sets the dependency injector

public getDI ()

Returns the internal dependency injector

public setRandomBytes (mixed $randomBytes)

Sets a number of bytes to be generated by the openssl pseudo random generator

public getRandomBytes ()

Returns a number of bytes to be generated by the openssl pseudo random generator

public getRandom ()

Returns a secure random number generator instance

public getSaltBytes ([mixed $numberBytes])

Generate a >22-length pseudo random string to be used as salt for passwords

public hash (mixed $password, [mixed $workFactor])

Creates a password hash using bcrypt with a pseudo random salt

public checkHash (mixed $password, mixed $passwordHash, [mixed $maxPassLength])

Checks a plain text password and its hash version to check if the password matches

public isLegacyHash (mixed $passwordHash)

Checks if a password hash is a valid bcrypt's hash

public getTokenKey ()

Generates a pseudo random token key to be used as input's name in a CSRF check

public getToken ()

Generates a pseudo random token value to be used as input's value in a CSRF check

public checkToken ([mixed $tokenKey], [mixed $tokenValue], [mixed $destroyIfValid])

Check if the CSRF token sent in the request is the same that the current in session

public getSessionToken ()

Returns the value of the CSRF token in session

public destroyToken ()

Removes the value of the CSRF token and key from session

public computeHmac (mixed $data, mixed $key, mixed $algo, [mixed $raw])

Computes a HMAC

public setDefaultHash (mixed $defaultHash)

Sets the default hash

public getDefaultHash ()

Returns the default hash

public hasLibreSsl ()

Testing for LibreSSL

public getSslVersionNumber ()

Getting OpenSSL or LibreSSL version Parse OPENSSL_VERSION_TEXT because OPENSSL_VERSION_NUMBER is no use for LibreSSL.

<?php

if ($security->getSslVersionNumber() >= 20105) {
    // ...
}

Class Phalcon\Security\Exception

extends class Phalcon\Exception

implements Throwable

Source on GitHub

Methods

final private Exception __clone () inherited from Exception

Clone the exception

public __construct ([mixed $message], [mixed $code], [mixed $previous]) inherited from Exception

Exception constructor

public __wakeup () inherited from Exception

...

final public string getMessage () inherited from Exception

Gets the Exception message

final public int getCode () inherited from Exception

Gets the Exception code

final public string getFile () inherited from Exception

Gets the file in which the exception occurred

final public int getLine () inherited from Exception

Gets the line in which the exception occurred

final public array getTrace () inherited from Exception

Gets the stack trace

final public Exception getPrevious () inherited from Exception

Returns previous Exception

final public Exception getTraceAsString () inherited from Exception

Gets the stack trace as a string

public string __toString () inherited from Exception

String representation of the exception

Class Phalcon\Security\Random

Source on GitHub

Secure random number generator class.

Provides secure random number generator which is suitable for generating session key in HTTP cookies, etc.

It supports following secure random number generators:

  • random_bytes (PHP 7)
  • libsodium
  • openssl, libressl
  • /dev/urandom

Phalcon\Security\Random could be mainly useful for:

  • Key generation (e.g. generation of complicated keys)
  • Generating random passwords for new user accounts
  • Encryption systems
<?php

$random = new \Phalcon\Security\Random();

// Random binary string
$bytes = $random->bytes();

// Random hex string
echo $random->hex(10); // a29f470508d5ccb8e289
echo $random->hex(10); // 533c2f08d5eee750e64a
echo $random->hex(11); // f362ef96cb9ffef150c9cd
echo $random->hex(12); // 95469d667475125208be45c4
echo $random->hex(13); // 05475e8af4a34f8f743ab48761

// Random base62 string
echo $random->base62(); // z0RkwHfh8ErDM1xw

// Random base64 string
echo $random->base64(12); // XfIN81jGGuKkcE1E
echo $random->base64(12); // 3rcq39QzGK9fUqh8
echo $random->base64();   // DRcfbngL/iOo9hGGvy1TcQ==
echo $random->base64(16); // SvdhPcIHDZFad838Bb0Swg==

// Random URL-safe base64 string
echo $random->base64Safe();           // PcV6jGbJ6vfVw7hfKIFDGA
echo $random->base64Safe();           // GD8JojhzSTrqX7Q8J6uug
echo $random->base64Safe(8);          // mGyy0evy3ok
echo $random->base64Safe(null, true); // DRrAgOFkS4rvRiVHFefcQ==

// Random UUID
echo $random->uuid(); // db082997-2572-4e2c-a046-5eefe97b1235
echo $random->uuid(); // da2aa0e2-b4d0-4e3c-99f5-f5ef62c57fe2
echo $random->uuid(); // 75e6b628-c562-4117-bb76-61c4153455a9
echo $random->uuid(); // dc446df1-0848-4d05-b501-4af3c220c13d

// Random number between 0 and $len
echo $random->number(256); // 84
echo $random->number(256); // 79
echo $random->number(100); // 29
echo $random->number(300); // 40

// Random base58 string
echo $random->base58();   // 4kUgL2pdQMSCQtjE
echo $random->base58();   // Umjxqf7ZPwh765yR
echo $random->base58(24); // qoXcgmw4A9dys26HaNEdCRj9
echo $random->base58(7);  // 774SJD3vgP

This class partially borrows SecureRandom library from Ruby

Methods

public bytes ([mixed $len])

Generates a random binary string The Random::bytes method returns a string and accepts as input an int representing the length in bytes to be returned. If $len is not specified, 16 is assumed. It may be larger in future. The result may contain any byte: "x00" - "xFF".

<?php

$random = new \Phalcon\Security\Random();

$bytes = $random->bytes();
var_dump(bin2hex($bytes));
// Possible output: string(32) "00f6c04b144b41fad6a59111c126e1ee"

public hex ([mixed $len])

Generates a random hex string If $len is not specified, 16 is assumed. It may be larger in future. The length of the result string is usually greater of $len.

<?php

$random = new \Phalcon\Security\Random();

echo $random->hex(10); // a29f470508d5ccb8e289

public base58 ([mixed $len])

Generates a random base58 string If $len is not specified, 16 is assumed. It may be larger in future. The result may contain alphanumeric characters except 0, O, I and l. It is similar to Phalcon\Security\Random:base64 but has been modified to avoid both non-alphanumeric characters and letters which might look ambiguous when printed.

<?php

$random = new \Phalcon\Security\Random();

echo $random->base58(); // 4kUgL2pdQMSCQtjE

public base62 ([mixed $len])

Generates a random base62 string If $len is not specified, 16 is assumed. It may be larger in future. It is similar to Phalcon\Security\Random:base58 but has been modified to provide the largest value that can safely be used in URLs without needing to take extra characters into consideration because it is [A-Za-z0-9].

<?php

$random = new \Phalcon\Security\Random();

echo $random->base62(); // z0RkwHfh8ErDM1xw

public base64 ([mixed $len])

Generates a random base64 string If $len is not specified, 16 is assumed. It may be larger in future. The length of the result string is usually greater of $len. Size formula: 4 * ($len / 3) and this need to be rounded up to a multiple of 4.

<?php

$random = new \Phalcon\Security\Random();

echo $random->base64(12); // 3rcq39QzGK9fUqh8

public base64Safe ([mixed $len], [mixed $padding])

Generates a random URL-safe base64 string If $len is not specified, 16 is assumed. It may be larger in future. The length of the result string is usually greater of $len. By default, padding is not generated because "=" may be used as a URL delimiter. The result may contain A-Z, a-z, 0-9, "-" and "_". "=" is also used if $padding is true. See RFC 3548 for the definition of URL-safe base64.

<?php

$random = new \Phalcon\Security\Random();

echo $random->base64Safe(); // GD8JojhzSTrqX7Q8J6uug

public uuid ()

Generates a v4 random UUID (Universally Unique IDentifier) The version 4 UUID is purely random (except the version). It doesn't contain meaningful information such as MAC address, time, etc. See RFC 4122 for details of UUID. This algorithm sets the version number (4 bits) as well as two reserved bits. All other bits (the remaining 122 bits) are set using a random or pseudorandom data source. Version 4 UUIDs have the form xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx where x is any hexadecimal digit and y is one of 8, 9, A, or B (e.g., f47ac10b-58cc-4372-a567-0e02b2c3d479).

<?php

$random = new \Phalcon\Security\Random();

echo $random->uuid(); // 1378c906-64bb-4f81-a8d6-4ae1bfcdec22

public number (mixed $len)

Generates a random number between 0 and $len Returns an integer: 0 <= result <= $len.

<?php

$random = new \Phalcon\Security\Random();

echo $random->number(16); // 8

protected base (mixed $alphabet, mixed $base, [mixed $n])

Generates a random string based on the number ($base) of characters ($alphabet). If $n is not specified, 16 is assumed. It may be larger in future.