CakePHP
  • Documentation
    • Book
    • API
    • Videos
    • Reporting Security Issues
    • Privacy Policy
    • Logos & Trademarks
  • Business Solutions
  • Swag
  • Road Trip
  • Team
  • Community
    • Community
    • Get Involved
    • Issues (Github)
    • Bakery
    • Featured Resources
    • Training
    • Meetups
    • My CakePHP
    • CakeFest
    • Newsletter
    • Linkedin
    • YouTube
    • Facebook
    • Twitter
    • Mastodon
    • Help & Support
    • Forum
    • Stack Overflow
    • IRC
    • Slack
    • Paid Support
CakePHP

C CakePHP 4.6 Strawberry API

  • Project:
    • CakePHP
      • CakePHP
      • Authentication
      • Authorization
      • Chronos
      • Elastic Search
      • Queue
  • Version:
    • 4.6
      • 5.2
      • 5.1
      • 5.0
      • 4.6
      • 4.5
      • 4.4
      • 4.3
      • 4.2
      • 4.1
      • 4.0
      • 3.10
      • 3.9
      • 3.8
      • 3.7
      • 3.6
      • 3.5
      • 3.4
      • 3.3
      • 3.2
      • 3.1
      • 3.0
      • 2.10
      • 2.9
      • 2.8
      • 2.7
      • 2.6
      • 2.5
      • 2.4
      • 2.3
      • 2.2
      • 2.1
      • 2.0
      • 1.3
      • 1.2

Namespaces

  • Global
  • Cake
    • Auth
    • Cache
    • Collection
    • Command
    • Console
    • Controller
    • Core
    • Database
    • Datasource
    • Error
    • Event
    • Filesystem
    • Form
    • Http
    • I18n
    • Log
    • Mailer
    • Network
    • ORM
    • Routing
    • Shell
    • TestSuite
    • Utility
    • Validation
    • View

Class FormProtector

Protects against form tampering. It ensures that:

  • Form's action (URL) is not modified.
  • Unknown / extra fields are not added to the form.
  • Existing fields have not been removed from the form.
  • Values of hidden inputs have not been changed.
Namespace: Cake\Form

Property Summary

  • $debugMessage protected
    string|null

    Error message providing detail for failed validation.

  • $fields protected
    array

    Fields list.

  • $unlockedFields protected
    array<string>

    Unlocked fields.

Method Summary

  • __construct() public

    Construct.

  • __debugInfo() public

    Return debug info

  • addField() public

    Determine which fields of a form should be used for hash.

  • buildTokenData() public

    Generate the token data.

  • debugCheckFields() protected

    Iterates data array to check against expected

  • debugExpectedFields() protected

    Generate debug message for the expected fields

  • debugTokenNotMatching() protected

    Create a message for humans to understand why Security token is not matching

  • extractFields() protected

    Return the fields list for the hash calculation

  • extractHashParts() protected

    Return hash parts for the token generation

  • extractToken() protected

    Extract token from data.

  • generateHash() protected

    Generate validation hash.

  • getError() public

    Get validation error message.

  • getFieldNameArray() protected

    Parses the field name to create a dot separated name value for use in field hash. If fieldname is of form Model[field] or Model.field an array of fieldname parts like ['Model', 'field'] is returned.

  • matchExistingFields() protected

    Generate array of messages for the existing fields in POST data, matching dataFields in $expectedFields will be unset

  • sortedUnlockedFields() protected

    Get the sorted unlocked string

  • unlockField() public

    Add to the list of fields that are currently unlocked.

  • validate() public

    Validate submitted form data.

Method Detail

__construct() ¶ public

__construct(array<string, mixed> $data = [])

Construct.

Parameters
array<string, mixed> $data optional

Data array, can contain key unlockedFields with list of unlocked fields.

__debugInfo() ¶ public

__debugInfo(): array<string, mixed>

Return debug info

Returns
array<string, mixed>

addField() ¶ public

addField(array<string>|string $field, bool $lock = true, mixed $value = null): $this

Determine which fields of a form should be used for hash.

Parameters
array<string>|string $field

Reference to field to be secured. Can be dot separated string to indicate nesting or array of fieldname parts.

bool $lock optional

Whether this field should be part of the validation or excluded as part of the unlockedFields. Default true.

mixed $value optional

Field value, if value should not be tampered with.

Returns
$this

buildTokenData() ¶ public

buildTokenData(string $url = '', string $sessionId = ''): array<string, string>

Generate the token data.

Parameters
string $url optional

Form URL.

string $sessionId optional

Session Id.

Returns
array<string, string>

debugCheckFields() ¶ protected

debugCheckFields(array $dataFields, array $expectedFields = [], string $intKeyMessage = '', string $stringKeyMessage = '', string $missingMessage = ''): array<string>

Iterates data array to check against expected

Parameters
array $dataFields

Fields array, containing the POST data fields

array $expectedFields optional

Fields array, containing the expected fields we should have in POST

string $intKeyMessage optional

Message string if unexpected found in data fields indexed by int (not protected)

string $stringKeyMessage optional

Message string if tampered found in data fields indexed by string (protected).

string $missingMessage optional

Message string if missing field

Returns
array<string>

debugExpectedFields() ¶ protected

debugExpectedFields(array $expectedFields = [], string $missingMessage = ''): string|null

Generate debug message for the expected fields

Parameters
array $expectedFields optional

Expected fields

string $missingMessage optional

Message template

Returns
string|null

debugTokenNotMatching() ¶ protected

debugTokenNotMatching(array $formData, array $hashParts): string

Create a message for humans to understand why Security token is not matching

Parameters
array $formData

Data.

array $hashParts

Elements used to generate the Token hash

Returns
string

extractFields() ¶ protected

extractFields(array $formData): array

Return the fields list for the hash calculation

Parameters
array $formData

Data array

Returns
array

extractHashParts() ¶ protected

extractHashParts(array<string, array> $formData): array<string, array>

Return hash parts for the token generation

Parameters
array<string, array> $formData

Form data.

Returns
array<string, array>

extractToken() ¶ protected

extractToken(mixed $formData): string|null

Extract token from data.

Parameters
mixed $formData

Data to validate.

Returns
string|null

generateHash() ¶ protected

generateHash(array $fields, array<string> $unlockedFields, string $url, string $sessionId): string

Generate validation hash.

Parameters
array $fields

Fields list.

array<string> $unlockedFields

Unlocked fields.

string $url

Form URL.

string $sessionId

Session Id.

Returns
string

getError() ¶ public

getError(): string|null

Get validation error message.

Returns
string|null

getFieldNameArray() ¶ protected

getFieldNameArray(string $name): array<string>

Parses the field name to create a dot separated name value for use in field hash. If fieldname is of form Model[field] or Model.field an array of fieldname parts like ['Model', 'field'] is returned.

Parameters
string $name

The form inputs name attribute.

Returns
array<string>

matchExistingFields() ¶ protected

matchExistingFields(array $dataFields, array $expectedFields, string $intKeyMessage, string $stringKeyMessage): array<string>

Generate array of messages for the existing fields in POST data, matching dataFields in $expectedFields will be unset

Parameters
array $dataFields

Fields array, containing the POST data fields

array $expectedFields

Fields array, containing the expected fields we should have in POST

string $intKeyMessage

Message string if unexpected found in data fields indexed by int (not protected)

string $stringKeyMessage

Message string if tampered found in data fields indexed by string (protected)

Returns
array<string>

sortedUnlockedFields() ¶ protected

sortedUnlockedFields(array $formData): array<string>

Get the sorted unlocked string

Parameters
array $formData

Data array

Returns
array<string>

unlockField() ¶ public

unlockField(string $name): $this

Add to the list of fields that are currently unlocked.

Unlocked fields are not included in the field hash.

Parameters
string $name

The dot separated name for the field.

Returns
$this

validate() ¶ public

validate(mixed $formData, string $url, string $sessionId): bool

Validate submitted form data.

Parameters
mixed $formData

Form data.

string $url

URL form was POSTed to.

string $sessionId

Session id for hash generation.

Returns
bool

Property Detail

$debugMessage ¶ protected

Error message providing detail for failed validation.

Type
string|null

$fields ¶ protected

Fields list.

Type
array

$unlockedFields ¶ protected

Unlocked fields.

Type
array<string>
OpenHub
Pingping
Linode
  • Business Solutions
  • Showcase
  • Documentation
  • Book
  • API
  • Videos
  • Reporting Security Issues
  • Privacy Policy
  • Logos & Trademarks
  • Community
  • Get Involved
  • Issues (Github)
  • Bakery
  • Featured Resources
  • Training
  • Meetups
  • My CakePHP
  • CakeFest
  • Newsletter
  • Linkedin
  • YouTube
  • Facebook
  • Twitter
  • Mastodon
  • Help & Support
  • Forum
  • Stack Overflow
  • IRC
  • Slack
  • Paid Support

Generated using CakePHP API Docs