Documentation

Security
in package

A collection of miscellaneous methods related to forum security.

Table of Contents

Methods

checkConfirm()  : bool|string
Check if a specific confirm parameter was given.
checkSecurityFiles()  : bool|array<string|int, mixed>
Checks for the existence and security status of specific files and directories required for the proper functioning of the system. Ensures that security measures are applied and generates a list of warnings for any issues detected.
checkSubmitOnce()  : null|bool
Check whether a form has been submitted twice.
corsPolicyHeader()  : void
This sets the Access-Control-Allow-Origin header.
frameOptionsHeader()  : void
This sets the X-Frame-Options header.
generatePassword()  : string
Generates a random password.
generateValidationCode()  : string
Generate a random validation code.
hashBenchmark()  : int
Benchmarks the server to figure out an appropriate cost factor (minimum 9)
hashPassword()  : string
Hashes the user's password
hashVerifyPassword()  : bool
Verifies a raw SMF password against the encrypted string
minimumPasswordLength()  : int
Gets the minimum required password length.
secureDirectory()  : bool|array<string|int, mixed>
A generic function to create a pair of index.php and .htaccess files in a directory
spamProtection()  : bool
This function attempts to protect from spammed messages and the like.
validatePassword()  : null|string
Checks whether a password meets the current forum rules.

Methods

checkConfirm()

Check if a specific confirm parameter was given.

public static checkConfirm(string $action) : bool|string
Parameters
$action : string

The action we want to check against.

Return values
bool|string

True if the check passed. Otherwise a token string.

checkSecurityFiles()

Checks for the existence and security status of specific files and directories required for the proper functioning of the system. Ensures that security measures are applied and generates a list of warnings for any issues detected.

public static checkSecurityFiles() : bool|array<string|int, mixed>

Warnings include:

  • Missing or insecure critical files (e.g., install.php, upgrade.php).
  • Directories not properly secured (e.g., cache directory).
  • Missing legal agreement or policy documents.
  • Missing authentication secrets.
Return values
bool|array<string|int, mixed>

Returns an array of warnings if any security risks are detected, or false if the user lacks the necessary permissions or is a guest.

checkSubmitOnce()

Check whether a form has been submitted twice.

public static checkSubmitOnce(string $action[, bool $is_fatal = true ]) : null|bool
  • Registers a sequence number for a form.
  • Checks whether a submitted sequence number is registered in the current session.
  • Frees a sequence number from the stack after it's been checked.
  • Frees a sequence number without checking if $action == 'free'.
  • If $action == 'check', returns a value. If the check passes, returns true. Otherwise, it either shows an error if $is_fatal == true, or else just returns false.
  • If an invalid $action is passed, triggers an error.
Parameters
$action : string

The action. Can be 'register', 'check', or 'free'.

$is_fatal : bool = true

Whether to die with a fatal error. Only used when $action == 'check'.

Return values
null|bool

If $action == 'check', returns whether the check was successful. Otherwise, returns null.

corsPolicyHeader()

This sets the Access-Control-Allow-Origin header.

public static corsPolicyHeader([bool $set_header = true ]) : void
Parameters
$set_header : bool = true

When false, we will do the logic, but not send the headers. The relevant logic is still saved in Utils::$context and can be sent manually. Default: true.

Tags
link
https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
since
2.1

frameOptionsHeader()

This sets the X-Frame-Options header.

public static frameOptionsHeader([string $override = null ]) : void
Parameters
$override : string = null

An option to override (either 'SAMEORIGIN' or 'DENY')

Tags
since
2.1

generatePassword()

Generates a random password.

public static generatePassword() : string
Return values
string

A random password.

generateValidationCode()

Generate a random validation code.

public static generateValidationCode() : string
Return values
string

A random validation code

hashBenchmark()

Benchmarks the server to figure out an appropriate cost factor (minimum 9)

public static hashBenchmark([float $hashTime = 0.2 ]) : int
Parameters
$hashTime : float = 0.2

Time to target, in seconds

Return values
int

The cost

hashPassword()

Hashes the user's password

public static hashPassword(string $password[, int $cost = null ]) : string
Parameters
$password : string

The unhashed password

$cost : int = null

The cost

Return values
string

The hashed password

hashVerifyPassword()

Verifies a raw SMF password against the encrypted string

public static hashVerifyPassword(string $password, string $hash) : bool
Parameters
$password : string

The password

$hash : string

The hashed string

Return values
bool

Whether the hashed password matches the string

minimumPasswordLength()

Gets the minimum required password length.

public static minimumPasswordLength() : int
Return values
int

The minimum required password length.

secureDirectory()

A generic function to create a pair of index.php and .htaccess files in a directory

public static secureDirectory(string|array<string|int, mixed> $paths[, bool $attachments = false ]) : bool|array<string|int, mixed>
Parameters
$paths : string|array<string|int, mixed>

The (absolute) directory path(s).

$attachments : bool = false

Whether this is an attachment directory.

Return values
bool|array<string|int, mixed>

True on success, or an array of errors on failure.

spamProtection()

This function attempts to protect from spammed messages and the like.

public static spamProtection(string $error_type[, bool $only_return_result = false ]) : bool

The time required between actions depends on $error_type. If there is no specific time requirement for the $error_type, the time required will just be Config::$modSettings['spamWaitTime'].

Parameters
$error_type : string

The error type. Also used as a Lang::$txt key.

$only_return_result : bool = false

Whether you want the function to die with a fatal_lang_error.

Return values
bool

Whether they've posted within the limit.

validatePassword()

Checks whether a password meets the current forum rules.

public static validatePassword(string $password, string $username[, array<string|int, mixed> $restrict_in = [] ]) : null|string

Called when registering and when choosing a new password in the profile.

If password checking is enabled, will check that none of the words in $restrict_in appear in the password.

Returns an error identifier if the password is invalid, or null if valid.

Parameters
$password : string

The desired password.

$username : string

The username.

$restrict_in : array<string|int, mixed> = []

An array of restricted strings that cannot be part of the password (email address, username, etc.)

Return values
null|string

Null if valid or a string indicating the problem.


        

        
    




    

    

                                

                

                                
    

        On this page

        
    


                

                            

            

    

        

            
Search results