CakePHP
  • Documentation
    • Book
    • API
    • Videos
    • Reporting Security Issues
    • Privacy Policy
    • Logos & Trademarks
  • Business Solutions
  • Swag
  • Road Trip
  • Team
  • Community
    • Community
    • Get Involved
    • Issues (GitHub)
    • Bakery
    • Featured Resources
    • Training
    • Meetups
    • My CakePHP
    • CakeFest
    • Newsletter
    • Linkedin
    • YouTube
    • Facebook
    • Twitter
    • Mastodon
    • Help & Support
    • Forum
    • Stack Overflow
    • Slack
    • Paid Support
CakePHP

C CakePHP 2.10 API

  • Overview
  • Tree
  • Deprecated
  • Version:
    • 2.10
      • 4.2
      • 4.1
      • 4.0
      • 3.9
      • 3.8
      • 3.7
      • 3.6
      • 3.5
      • 3.4
      • 3.3
      • 3.2
      • 3.1
      • 3.0
      • 2.10
      • 2.9
      • 2.8
      • 2.7
      • 2.6
      • 2.5
      • 2.4
      • 2.3
      • 2.2
      • 2.1
      • 2.0
      • 1.3
      • 1.2

Packages

  • Cake
    • Cache
      • Engine
    • Configure
    • Console
      • Command
        • Task
    • Controller
      • Component
        • Acl
        • Auth
    • Core
    • Error
    • Event
    • I18n
    • Log
      • Engine
    • Model
      • Behavior
      • Datasource
        • Database
        • Session
      • Validator
    • Network
      • Email
      • Http
    • Routing
      • Filter
      • Route
    • TestSuite
      • Coverage
      • Fixture
      • Reporter
    • Utility
    • View
      • Helper
  • None

Classes

  • CakeNumber
  • CakeText
  • CakeTime
  • ClassRegistry
  • Debugger
  • File
  • Folder
  • Hash
  • Inflector
  • ObjectCollection
  • Sanitize
  • Security
  • Set
  • String
  • Validation
  • Xml

Class Security

Security Library contains utility methods related to security

Package: Cake\Utility
Copyright: Copyright (c) Cake Software Foundation, Inc. (https://cakefoundation.org)
License: MIT License
Location: Cake/Utility/Security.php

Properties summary

  • $hashCost public static
    string
    Default cost
  • $hashType public static
    string
    Default hash method

Method Summary

  • _checkKey() protected static
    Check the encryption key for proper length.
  • _crypt() protected static
    One way encryption using php's crypt() function. To use blowfish hashing see Security::hash()
  • _salt() protected static

    Generates a pseudo random salt suitable for use with php's crypt() function. The salt length should not exceed 27. The salt will be composed of [./0-9A-Za-z]{$length}.

  • cipher() public static deprecated
    Runs $text through a XOR cipher.
  • decrypt() public static
    Decrypt a value using AES-256.
  • encrypt() public static
    Encrypt a value using AES-256.
  • generateAuthKey() public static deprecated
    Generate authorization hash.
  • hash() public static
    Create a hash from string using given method or fallback on next available method.
  • inactiveMins() public static deprecated
    Get allowed minutes of inactivity based on security level.
  • randomBytes() public static
    Get random bytes from a secure source.
  • rijndael() public static
    Encrypts/Decrypts a text using the given key using rijndael method.
  • setCost() public static
    Sets the cost for they blowfish hash method.
  • setHash() public static

    Sets the default hash method for the Security object. This affects all objects using Security::hash().

  • validateAuthKey() public static deprecated
    Validate authorization hash.

Method Detail

_checkKey() protected static ¶

_checkKey( string $key , string $method )

Check the encryption key for proper length.

Parameters
string $key
Key to check.
string $method
The method the key is being checked for.
Throws
CakeException
When key length is not 256 bit/32 bytes

_crypt() protected static ¶

_crypt( string $password , mixed $salt = false )

One way encryption using php's crypt() function. To use blowfish hashing see Security::hash()

Parameters
string $password
The string to be encrypted.
mixed $salt optional false
false to generate a new salt or an existing salt.
Returns
string
The hashed string or an empty string on error.

_salt() protected static ¶

_salt( integer $length = 22 )

Generates a pseudo random salt suitable for use with php's crypt() function. The salt length should not exceed 27. The salt will be composed of [./0-9A-Za-z]{$length}.

Parameters
integer $length optional 22
The length of the returned salt
Returns
string
The generated salt

cipher() public static deprecated ¶

cipher( string $text , string $key )

Runs $text through a XOR cipher.

Note This is not a cryptographically strong method and should not be used for sensitive data. Additionally this method does not work in environments where suhosin is enabled.

Instead you should use Security::encrypt() when you need strong encryption.

Deprecated
3.0.0 Will be removed in 3.0.
Parameters
string $text
Encrypted string to decrypt, normal string to encrypt
string $key
Key to use
Returns
string
Encrypted/Decrypted string

decrypt() public static ¶

decrypt( string $cipher , string $key , string $hmacSalt = null )

Decrypt a value using AES-256.

Parameters
string $cipher
The ciphertext to decrypt.
string $key
The 256 bit/32 byte key to use as a cipher key.
string $hmacSalt optional null
The salt to use for the HMAC process. Leave null to use Security.salt.
Returns
string
Decrypted data. Any trailing null bytes will be removed.
Throws
CakeException
On invalid data or key.

encrypt() public static ¶

encrypt( string $plain , string $key , string $hmacSalt = null )

Encrypt a value using AES-256.

Caveat You cannot properly encrypt/decrypt data with trailing null bytes. Any trailing null bytes will be removed on decryption due to how PHP pads messages with nulls prior to encryption.

Parameters
string $plain
The value to encrypt.
string $key
The 256 bit/32 byte key to use as a cipher key.
string $hmacSalt optional null
The salt to use for the HMAC process. Leave null to use Security.salt.
Returns
string
Encrypted data.
Throws
CakeException
On invalid data or key.

generateAuthKey() public static deprecated ¶

generateAuthKey( )

Generate authorization hash.

Deprecated
2.8.1 This method was removed in 3.0.0
Returns
string
Hash

hash() public static ¶

hash( string $string , string $type = null , mixed $salt = false )

Create a hash from string using given method or fallback on next available method.

Using Blowfish

  • Creating Hashes: Do not supply a salt. Cake handles salt creation for you ensuring that each hashed password will have a unique salt.
  • Comparing Hashes: Simply pass the originally hashed password as the salt. The salt is prepended to the hash and php handles the parsing automagically. For convenience the BlowfishPasswordHasher class is available for use with the AuthComponent.
  • Do NOT use a constant salt for blowfish!

Creating a blowfish/bcrypt hash:

$hash = Security::hash($password, 'blowfish');
Parameters
string $string
String to hash
string $type optional null
Method to use (sha1/sha256/md5/blowfish)
mixed $salt optional false

If true, automatically prepends the application's salt value to $string (Security.salt). If you are using blowfish the salt must be false or a previously generated salt.

Returns
string
Hash
Link
https://book.cakephp.org/2.0/en/core-utility-libraries/security.html#Security::hash

inactiveMins() public static deprecated ¶

inactiveMins( )

Get allowed minutes of inactivity based on security level.

Deprecated
3.0.0 Exists for backwards compatibility only, not used by the core
Returns
integer
Allowed inactivity in minutes

randomBytes() public static ¶

randomBytes( integer $length )

Get random bytes from a secure source.

This method will fall back to an insecure source and trigger a warning, if it cannot find a secure source of random data.

Parameters
integer $length
The number of bytes you want.
Returns
string
Random bytes in binary.

rijndael() public static ¶

rijndael( string $text , string $key , string $operation )

Encrypts/Decrypts a text using the given key using rijndael method.

Prior to 2.3.1, a fixed initialization vector was used. This was not secure. This method now uses a random iv, and will silently upgrade values when they are re-encrypted.

Parameters
string $text
Encrypted string to decrypt, normal string to encrypt
string $key
Key to use as the encryption key for encrypted data.
string $operation
Operation to perform, encrypt or decrypt
Returns
string
Encrypted/Decrypted string

setCost() public static ¶

setCost( integer $cost )

Sets the cost for they blowfish hash method.

Parameters
integer $cost
Valid values are 4-31

setHash() public static ¶

setHash( string $hash )

Sets the default hash method for the Security object. This affects all objects using Security::hash().

Parameters
string $hash
Method to use (sha1/sha256/md5/blowfish)
See
Security::hash()

validateAuthKey() public static deprecated ¶

validateAuthKey( string $authKey )

Validate authorization hash.

Deprecated
2.8.1 This method was removed in 3.0.0
Parameters
string $authKey
Authorization hash
Returns
boolean
Success

Properties detail

$hashCost ¶

public static string

Default cost

'10'

$hashType ¶

public static string

Default hash method

null
OpenHub
Rackspace
Rackspace
  • Business Solutions
  • Showcase
  • Documentation
  • Book
  • API
  • Videos
  • Reporting Security Issues
  • Privacy Policy
  • Logos & Trademarks
  • Community
  • Get Involved
  • Issues (GitHub)
  • Bakery
  • Featured Resources
  • Training
  • Meetups
  • My CakePHP
  • CakeFest
  • Newsletter
  • Linkedin
  • YouTube
  • Facebook
  • Twitter
  • Mastodon
  • Help & Support
  • Forum
  • Stack Overflow
  • Slack
  • Paid Support

Generated using CakePHP API Docs