Protects against form tampering. It ensures that:
string|null
Error message providing detail for failed validation.
array
Fields list.
array<string>
Unlocked fields.
Construct.
Return debug info
Determine which fields of a form should be used for hash.
Generate the token data.
Iterates data array to check against expected
Generate debug message for the expected fields
Create a message for humans to understand why Security token is not matching
Return the fields list for the hash calculation
Return hash parts for the token generation
Extract token from data.
Generate validation hash.
Get validation error message.
Parses the field name to create a dot separated name value for use in field hash. If fieldname is of form Model[field] or Model.field an array of fieldname parts like ['Model', 'field'] is returned.
Generate array of messages for the existing fields in POST data, matching dataFields in $expectedFields will be unset
Get the sorted unlocked string
Add to the list of fields that are currently unlocked.
Validate submitted form data.
__construct(array<string, mixed> $data = [])
Construct.
array<string, mixed>
$data optional Data array, can contain key unlockedFields
with list of unlocked fields.
__debugInfo(): array<string, mixed>
Return debug info
array<string, mixed>
addField(array<string>|string $field, bool $lock = true, mixed $value = null): $this
Determine which fields of a form should be used for hash.
array<string>|string
$field Reference to field to be secured. Can be dot separated string to indicate nesting or array of fieldname parts.
bool
$lock optional Whether this field should be part of the validation or excluded as part of the unlockedFields. Default true
.
mixed
$value optional Field value, if value should not be tampered with.
$this
buildTokenData(string $url = '', string $sessionId = ''): array<string, string>
Generate the token data.
string
$url optional Form URL.
string
$sessionId optional Session Id.
array<string, string>
debugCheckFields(array $dataFields, array $expectedFields = [], string $intKeyMessage = '', string $stringKeyMessage = '', string $missingMessage = ''): array<string>
Iterates data array to check against expected
array
$dataFields Fields array, containing the POST data fields
array
$expectedFields optional Fields array, containing the expected fields we should have in POST
string
$intKeyMessage optional Message string if unexpected found in data fields indexed by int (not protected)
string
$stringKeyMessage optional Message string if tampered found in data fields indexed by string (protected).
string
$missingMessage optional Message string if missing field
array<string>
debugExpectedFields(array $expectedFields = [], string $missingMessage = ''): string|null
Generate debug message for the expected fields
array
$expectedFields optional Expected fields
string
$missingMessage optional Message template
string|null
debugTokenNotMatching(array $formData, array $hashParts): string
Create a message for humans to understand why Security token is not matching
array
$formData Data.
array
$hashParts Elements used to generate the Token hash
string
extractFields(array $formData): array
Return the fields list for the hash calculation
array
$formData Data array
array
extractHashParts(array<string, array> $formData): array<string, array>
Return hash parts for the token generation
array<string, array>
$formData Form data.
array<string, array>
extractToken(mixed $formData): string|null
Extract token from data.
mixed
$formData Data to validate.
string|null
generateHash(array $fields, array<string> $unlockedFields, string $url, string $sessionId): string
Generate validation hash.
array
$fields Fields list.
array<string>
$unlockedFields Unlocked fields.
string
$url Form URL.
string
$sessionId Session Id.
string
getError(): string|null
Get validation error message.
string|null
getFieldNameArray(string $name): array<string>
Parses the field name to create a dot separated name value for use in field hash. If fieldname is of form Model[field] or Model.field an array of fieldname parts like ['Model', 'field'] is returned.
string
$name The form inputs name attribute.
array<string>
matchExistingFields(array $dataFields, array $expectedFields, string $intKeyMessage, string $stringKeyMessage): array<string>
Generate array of messages for the existing fields in POST data, matching dataFields in $expectedFields will be unset
array
$dataFields Fields array, containing the POST data fields
array
$expectedFields Fields array, containing the expected fields we should have in POST
string
$intKeyMessage Message string if unexpected found in data fields indexed by int (not protected)
string
$stringKeyMessage Message string if tampered found in data fields indexed by string (protected)
array<string>
sortedUnlockedFields(array $formData): array<string>
Get the sorted unlocked string
array
$formData Data array
array<string>
unlockField(string $name): $this
Add to the list of fields that are currently unlocked.
Unlocked fields are not included in the field hash.
string
$name The dot separated name for the field.
$this
validate(mixed $formData, string $url, string $sessionId): bool
Validate submitted form data.
mixed
$formData Form data.
string
$url URL form was POSTed to.
string
$sessionId Session id for hash generation.
bool
Error message providing detail for failed validation.
string|null
Fields list.
array
Unlocked fields.
array<string>
© 2005–present The Cake Software Foundation, Inc.
Licensed under the MIT License.
CakePHP is a registered trademark of Cake Software Foundation, Inc.
We are not endorsed by or affiliated with CakePHP.
https://api.cakephp.org/4.4/class-Cake.Form.FormProtector.html