Class Phalcon\Security

implements Phalcon\Di\InjectionAwareInterface

Source on GitHub

This component provides a set of functions to improve the security in Phalcon applications

  1. <?php
  2. $login = $this->request->getPost("login");
  3. $password = $this->request->getPost("password");
  4. $user = Users::findFirstByLogin($login);
  5. if ($user) {
  6. if ($this->security->checkHash($password, $user->password)) {
  7. // The password is valid
  8. }
  9. }

Constants

integer CRYPT_DEFAULT

integer CRYPT_STD_DES

integer CRYPT_EXT_DES

integer CRYPT_MD5

integer CRYPT_BLOWFISH

integer CRYPT_BLOWFISH_A

integer CRYPT_BLOWFISH_X

integer CRYPT_BLOWFISH_Y

integer CRYPT_SHA256

integer CRYPT_SHA512

Methods

public setWorkFactor (mixed $workFactor)

public getWorkFactor ()

public __construct ()

Phalcon\Security constructor

public setDI (Phalcon\DiInterface $dependencyInjector)

Sets the dependency injector

public getDI ()

Returns the internal dependency injector

public setRandomBytes (mixed $randomBytes)

Sets a number of bytes to be generated by the openssl pseudo random generator

public getRandomBytes ()

Returns a number of bytes to be generated by the openssl pseudo random generator

public getRandom ()

Returns a secure random number generator instance

public getSaltBytes ([mixed $numberBytes])

Generate a >22-length pseudo random string to be used as salt for passwords

public hash (mixed $password, [mixed $workFactor])

Creates a password hash using bcrypt with a pseudo random salt

public checkHash (mixed $password, mixed $passwordHash, [mixed $maxPassLength])

Checks a plain text password and its hash version to check if the password matches

public isLegacyHash (mixed $passwordHash)

Checks if a password hash is a valid bcrypt’s hash

public getTokenKey ()

Generates a pseudo random token key to be used as input’s name in a CSRF check

public getToken ()

Generates a pseudo random token value to be used as input’s value in a CSRF check

public checkToken ([mixed $tokenKey], [mixed $tokenValue], [mixed $destroyIfValid])

Check if the CSRF token sent in the request is the same that the current in session

public getSessionToken ()

Returns the value of the CSRF token in session

public destroyToken ()

Removes the value of the CSRF token and key from session

public computeHmac (mixed $data, mixed $key, mixed $algo, [mixed $raw])

Computes a HMAC

public setDefaultHash (mixed $defaultHash)

Sets the default hash

public getDefaultHash ()

Returns the default hash

public hasLibreSsl ()

Testing for LibreSSL

public getSslVersionNumber ()

Getting OpenSSL or LibreSSL version Parse OPENSSL_VERSION_TEXT because OPENSSL_VERSION_NUMBER is no use for LibreSSL.

  1. <?php
  2. if ($security->getSslVersionNumber() >= 20105) {
  3. // ...
  4. }