Issues in CFSesion.php (master) - Issues in master - webcol/Calima - Measure and Improve Code Quality continuously with Scrutinizer

Issues (699)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

Sistema/Nucleo/CFSesion.php (12 issues)

Labels

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/*
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 *
 * This software consists of voluntary contributions made by many individuals
 * and is licensed under the MIT license. For more information, see
 * @category   
 * @package    sistema/nucleo
 * @copyright  Copyright (c) 2006 - 2014 webcol.net (http://www.webcol.net/calima)
 * @license	https://github.com/webcol/Calima/blob/master/LICENSE	MIT
 * @version	##BETA 1.0##, ##2014 - 2015##
 * <http://www.calimaframework.com>.
 */
/*
 * require('Cf_Sesion.php');
 * $sesion=new Cf_Sesion();
 * Set to true if using https
 * $sesion->iniciarSesion('_s',false);
 
 * $_SESSION['something']='A value.';
 * echo$_SESSION['something'];
 */
namespace Sistema\Nucleo;
class CFSesion
{   

    
    private $host       = CF_BD_HOST;
    private $usuario    = CF_BD_USUARIO;
    private $clave      = CF_BD_CLAVE;
    private $bdnombre   = CF_BD_NOMBRE;
    private $bdchar     = CF_BD_CHAR;

    private $bdconector = CF_BD_CONECTOR;

    
   public function __construct() {
       session_regenerate_id(true);
         // set our custom session functions.
      session_set_save_handler(array($this, 'abrir'), array($this, 'cerrar'), array($this, 'leer'), array($this, 'escribir'), array($this, 'destruir'), array($this, 'gc'));
      // This line prevents unexpected effects when using objects as save handlers.
      register_shutdown_function('session_write_close');      
   }   
  /* public function __destruct() {
      session_regenerate_id(true);
   }*/
           function iniciarSesion($session_name, $secure) {
      // Make sure the session cookie is not accessable via javascript.
      $httpunico = true;

      // Hash algorithm to use for the sessionid. (use hash_algos() to get a list of available hashes.)
      $sesion_hash = 'sha512';

      // Check if hash is available
      if (in_array($sesion_hash, hash_algos())) {
        // Set the has function.
        ini_set('session.hash_function', $sesion_hash);
      }
      // How many bits per character of the hash.
      // The possible values are '4' (0-9, a-f), '5' (0-9, a-v), and '6' (0-9, a-z, A-Z, "-", ",").
      ini_set('session.hash_bits_per_character', 5);

      // Force the session to only use cookies, not URL variables.
      ini_set('session.use_only_cookies', 1);

      // Get session cookie parameters 
      $cookieParams = session_get_cookie_params(); 
      // Set the parameters
      session_set_cookie_params($cookieParams["lifetime"], $cookieParams["path"], $cookieParams["domain"], $secure, $httpunico); 
      // Change the session name 
      session_name($session_name);
      // Now we cat start the session
      session_start();
     
      // This line regenerates the session and delete the old one. 
      // It also generates a new encryption key in the database. 
       
   }

// ingrese la informacion de conexion a su base de datos, debe ser igual a la que esta en CFConfiguracion.php
   function abrir() {
   $host = $this->host;
   $user = $this->usuario;
   $pass = $this->clave;
   $name = $this->bdnombre;
   
   $mysqli = new \mysqli($host, $user, $pass, $name);
   $this->db = $mysqli;
class MyClass { }

$x = new MyClass();
$x->foo = true;
   return true;
   }

   function cerrar() {
      $this->db->close();
      return true;
   }


   function leer($id) {
      if(!isset($this->read_stmt)) {
      $this->read_stmt = $this->db->prepare("SELECT data FROM sesiones WHERE id = ? LIMIT 1");
class MyClass { }

$x = new MyClass();
$x->foo = true;
   }
   $this->read_stmt->bind_param('s', $id);
   $this->read_stmt->execute();
   $this->read_stmt->store_result();
   $this->read_stmt->bind_result($data);
function someFunction() {
    $x = 5;
    echo $x;
}
   $this->read_stmt->fetch();
   $key = $this->getkey($id);
   $data = $this->decrypt($data, $key);
function someFunction() {
    $x = 5;
    echo $x;
}
   return $data;
   }





   function escribir($id, $data) {
      // Get unique key
   $key = $this->getkey($id);
   // Encrypt the data
   $data = $this->encrypt($data, $key);
 
   $time = time();
   if(!isset($this->w_stmt)) {
      $this->w_stmt = $this->db->prepare("REPLACE INTO sesiones (id, set_time, data, session_key) VALUES (?, ?, ?, ?)");
class MyClass { }

$x = new MyClass();
$x->foo = true;
   }
 
   $this->w_stmt->bind_param('siss', $id, $time, $data, $key);
   $this->w_stmt->execute();
   return true;
   }

   function destruir($id) {
      if(!isset($this->delete_stmt)) {
      $this->delete_stmt = $this->db->prepare("DELETE FROM sesiones WHERE id = ?");
class MyClass { }

$x = new MyClass();
$x->foo = true;
   }
   $this->delete_stmt->bind_param('s', $id);
   $this->delete_stmt->execute();
   return true;
   }

   function gc($max) {
      if(!isset($this->gc_stmt)) {
      $this->gc_stmt = $this->db->prepare("DELETE FROM sesiones WHERE set_time < ?");
class MyClass { }

$x = new MyClass();
$x->foo = true;
   }
   $old = time() - $max;
   $this->gc_stmt->bind_param('s', $old);
   $this->gc_stmt->execute();
   return true;
   }

   private function getkey($id) {
           
      
      if(!isset($this->key_stmt)) {
      $this->key_stmt = $this->db->prepare("SELECT session_key FROM sesiones WHERE id = ? LIMIT 1");
class MyClass { }

$x = new MyClass();
$x->foo = true;
   }
   $this->key_stmt->bind_param('s', $id);
   $this->key_stmt->execute();
   $this->key_stmt->store_result();
   if($this->key_stmt->num_rows == 1) { 
      $this->key_stmt->bind_result($key);

      $this->key_stmt->fetch();
      return $key;
   } else {
      $random_key = hash('sha512', uniqid(mt_rand(1, mt_getrandmax()), true));
      return $random_key;
   }
   }

   private function encrypt($data, $key) {
      $salt = 'cH!swe!retReGu7W6bEDRup7usuDUh9THeD2CHeGE*ewr4n39=E@rAsp7c-Ph@pH';
      $key = substr(hash('sha256', $salt.$key.$salt), 0, 32);
      $iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
      $iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
      $encrypted = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $data, MCRYPT_MODE_ECB, $iv));
      return $encrypted;
   }
   private function decrypt($data, $key) {
      $salt = 'cH!swe!retReGu7W6bEDRup7usuDUh9THeD2CHeGE*ewr4n39=E@rAsp7c-Ph@pH';
      $key = substr(hash('sha256', $salt.$key.$salt), 0, 32);
      $iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
      $iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
      $decrypted = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, base64_decode($data), MCRYPT_MODE_ECB, $iv);
      return $decrypted;
   }
    
}

//estructura para bd

/*

CREATE TABLE IF NOT EXISTS `sesion` (
  `id` char(128) NOT NULL,
  `set_time` char(10) NOT NULL,
  `data` text NOT NULL,
  `session_key` char(128) NOT NULL,
  PRIMARY KEY (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1;

*/


GitHub Access Token became invalid

Issues (699)

Security Analysis not enabled

Sistema/Nucleo/CFSesion.php (12 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

1		<?php
2		/*
3		* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
4		* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
5		* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
6		* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
7		* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
8		* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
9		* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
10		* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
11		* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
12		* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
13		* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
14		*
15		* This software consists of voluntary contributions made by many individuals
16		* and is licensed under the MIT license. For more information, see
17		* @category
18		* @package sistema/nucleo
19		* @copyright Copyright (c) 2006 - 2014 webcol.net (http://www.webcol.net/calima)
20		* @license https://github.com/webcol/Calima/blob/master/LICENSE MIT
21		* @version ##BETA 1.0##, ##2014 - 2015##
22		* <http://www.calimaframework.com>.
23		*/
24		/*
25		* require('Cf_Sesion.php');
26		* $sesion=new Cf_Sesion();
27		* Set to true if using https
28		* $sesion->iniciarSesion('_s',false);
29
30		* $_SESSION['something']='A value.';
31		* echo$_SESSION['something'];
32		*/
33		namespace Sistema\Nucleo;
34		class CFSesion
35		{
		0 ignored issues – show Coding Style introduced 2016-02-17 21:17 UTC by Report Bug Copy Issue Report Show Similar Issues like this The opening class brace should be on a newline by itself. Loading history...
36
37		private $host = CF_BD_HOST;
38		private $usuario = CF_BD_USUARIO;
39		private $clave = CF_BD_CLAVE;
40		private $bdnombre = CF_BD_NOMBRE;
41		private $bdchar = CF_BD_CHAR;
		0 ignored issues – show Unused Code introduced 2016-03-13 00:59 UTC by Report Bug Copy Issue Report Show Similar Issues like this The property `$bdchar` is not used and could be removed. This check marks private properties in classes that are never used. Those properties can be removed. Loading history...
42		private $bdconector = CF_BD_CONECTOR;
		0 ignored issues – show Unused Code introduced 2016-03-13 00:59 UTC by Report Bug Copy Issue Report Show Similar Issues like this The property `$bdconector` is not used and could be removed. This check marks private properties in classes that are never used. Those properties can be removed. Loading history...
43
44		public function __construct() {
45		session_regenerate_id(true);
46		// set our custom session functions.
47		session_set_save_handler(array($this, 'abrir'), array($this, 'cerrar'), array($this, 'leer'), array($this, 'escribir'), array($this, 'destruir'), array($this, 'gc'));
48		// This line prevents unexpected effects when using objects as save handlers.
49		register_shutdown_function('session_write_close');
50		}
51		/* public function __destruct() {
52		session_regenerate_id(true);
53		}*/
54		function iniciarSesion($session_name, $secure) {
55		// Make sure the session cookie is not accessable via javascript.
56		$httpunico = true;
57
58		// Hash algorithm to use for the sessionid. (use hash_algos() to get a list of available hashes.)
59		$sesion_hash = 'sha512';
60
61		// Check if hash is available
62		if (in_array($sesion_hash, hash_algos())) {
63		// Set the has function.
64		ini_set('session.hash_function', $sesion_hash);
65		}
66		// How many bits per character of the hash.
67		// The possible values are '4' (0-9, a-f), '5' (0-9, a-v), and '6' (0-9, a-z, A-Z, "-", ",").
68		ini_set('session.hash_bits_per_character', 5);
69
70		// Force the session to only use cookies, not URL variables.
71		ini_set('session.use_only_cookies', 1);
72
73		// Get session cookie parameters
74		$cookieParams = session_get_cookie_params();
75		// Set the parameters
76		session_set_cookie_params($cookieParams["lifetime"], $cookieParams["path"], $cookieParams["domain"], $secure, $httpunico);
77		// Change the session name
78		session_name($session_name);
79		// Now we cat start the session
80		session_start();
81
82		// This line regenerates the session and delete the old one.
83		// It also generates a new encryption key in the database.
84
85		}
86
87		// ingrese la informacion de conexion a su base de datos, debe ser igual a la que esta en CFConfiguracion.php
88		function abrir() {
89		$host = $this->host;
90		$user = $this->usuario;
91		$pass = $this->clave;
92		$name = $this->bdnombre;
93
94		$mysqli = new \mysqli($host, $user, $pass, $name);
95		$this->db = $mysqli;
		0 ignored issues – show Bug introduced 2016-02-17 21:17 UTC by Report Bug Copy Issue Report Show Similar Issues like this The property `db` does not exist. Did you maybe forget to declare it? In PHP it is possible to write to properties without declaring them. For example, the following is perfectly valid PHP code: class MyClass { } $x = new MyClass(); $x->foo = true; Generally, it is a good practice to explictly declare properties to avoid accidental typos and provide IDE auto-completion: class MyClass { public $foo; } $x = new MyClass(); $x->foo = true; Loading history...
96		return true;
97		}
98
99		function cerrar() {
100		$this->db->close();
101		return true;
102		}
103
104
105		function leer($id) {
106		if(!isset($this->read_stmt)) {
107		$this->read_stmt = $this->db->prepare("SELECT data FROM sesiones WHERE id = ? LIMIT 1");
		0 ignored issues – show Bug introduced 2016-02-17 21:17 UTC by Report Bug Copy Issue Report Show Similar Issues like this The property `read_stmt` does not exist. Did you maybe forget to declare it? In PHP it is possible to write to properties without declaring them. For example, the following is perfectly valid PHP code: class MyClass { } $x = new MyClass(); $x->foo = true; Generally, it is a good practice to explictly declare properties to avoid accidental typos and provide IDE auto-completion: class MyClass { public $foo; } $x = new MyClass(); $x->foo = true; Loading history...
108		}
109		$this->read_stmt->bind_param('s', $id);
110		$this->read_stmt->execute();
111		$this->read_stmt->store_result();
112		$this->read_stmt->bind_result($data);
		0 ignored issues – show Bug introduced 2016-02-17 21:17 UTC by Report Bug Copy Issue Report Show Similar Issues like this The variable `$data` seems only to be defined at a later point. Did you maybe move this code here without moving the variable definition? This error can happen if you refactor code and forget to move the variable initialization. Let’s take a look at a simple example: function someFunction() { $x = 5; echo $x; } The above code is perfectly fine. Now imagine that we re-order the statements: function someFunction() { echo $x; $x = 5; } In that case, `$x` would be read before it is initialized. This was a very basic example, however the principle is the same for the found issue. Loading history...
113		$this->read_stmt->fetch();
114		$key = $this->getkey($id);
115		$data = $this->decrypt($data, $key);
		0 ignored issues – show Bug introduced 2016-02-17 21:17 UTC by Report Bug Copy Issue Report Show Similar Issues like this The variable `$data` seems only to be defined at a later point. Did you maybe move this code here without moving the variable definition? This error can happen if you refactor code and forget to move the variable initialization. Let’s take a look at a simple example: function someFunction() { $x = 5; echo $x; } The above code is perfectly fine. Now imagine that we re-order the statements: function someFunction() { echo $x; $x = 5; } In that case, `$x` would be read before it is initialized. This was a very basic example, however the principle is the same for the found issue. Loading history...
116		return $data;
117		}
118
119
120
121
122
123		function escribir($id, $data) {
124		// Get unique key
125		$key = $this->getkey($id);
126		// Encrypt the data
127		$data = $this->encrypt($data, $key);
128
129		$time = time();
130		if(!isset($this->w_stmt)) {
131		$this->w_stmt = $this->db->prepare("REPLACE INTO sesiones (id, set_time, data, session_key) VALUES (?, ?, ?, ?)");
		0 ignored issues – show Bug introduced 2016-02-17 21:17 UTC by Report Bug Copy Issue Report Show Similar Issues like this The property `w_stmt` does not exist. Did you maybe forget to declare it? In PHP it is possible to write to properties without declaring them. For example, the following is perfectly valid PHP code: class MyClass { } $x = new MyClass(); $x->foo = true; Generally, it is a good practice to explictly declare properties to avoid accidental typos and provide IDE auto-completion: class MyClass { public $foo; } $x = new MyClass(); $x->foo = true; Loading history...
132		}
133
134		$this->w_stmt->bind_param('siss', $id, $time, $data, $key);
135		$this->w_stmt->execute();
136		return true;
137		}
138
139	View Code Duplication	function destruir($id) {
140		if(!isset($this->delete_stmt)) {
141		$this->delete_stmt = $this->db->prepare("DELETE FROM sesiones WHERE id = ?");
		0 ignored issues – show Bug introduced 2016-02-17 21:17 UTC by Report Bug Copy Issue Report Show Similar Issues like this The property `delete_stmt` does not exist. Did you maybe forget to declare it? In PHP it is possible to write to properties without declaring them. For example, the following is perfectly valid PHP code: class MyClass { } $x = new MyClass(); $x->foo = true; Generally, it is a good practice to explictly declare properties to avoid accidental typos and provide IDE auto-completion: class MyClass { public $foo; } $x = new MyClass(); $x->foo = true; Loading history...
142		}
143		$this->delete_stmt->bind_param('s', $id);
144		$this->delete_stmt->execute();
145		return true;
146		}
147
148	View Code Duplication	function gc($max) {
149		if(!isset($this->gc_stmt)) {
150		$this->gc_stmt = $this->db->prepare("DELETE FROM sesiones WHERE set_time < ?");
		0 ignored issues – show Bug introduced 2016-02-17 21:17 UTC by Report Bug Copy Issue Report Show Similar Issues like this The property `gc_stmt` does not exist. Did you maybe forget to declare it? In PHP it is possible to write to properties without declaring them. For example, the following is perfectly valid PHP code: class MyClass { } $x = new MyClass(); $x->foo = true; Generally, it is a good practice to explictly declare properties to avoid accidental typos and provide IDE auto-completion: class MyClass { public $foo; } $x = new MyClass(); $x->foo = true; Loading history...
151		}
152		$old = time() - $max;
153		$this->gc_stmt->bind_param('s', $old);
154		$this->gc_stmt->execute();
155		return true;
156		}
157
158		private function getkey($id) {
159
160
161		if(!isset($this->key_stmt)) {
162		$this->key_stmt = $this->db->prepare("SELECT session_key FROM sesiones WHERE id = ? LIMIT 1");
		0 ignored issues – show Bug introduced 2016-02-17 21:17 UTC by Report Bug Copy Issue Report Show Similar Issues like this The property `key_stmt` does not exist. Did you maybe forget to declare it? In PHP it is possible to write to properties without declaring them. For example, the following is perfectly valid PHP code: class MyClass { } $x = new MyClass(); $x->foo = true; Generally, it is a good practice to explictly declare properties to avoid accidental typos and provide IDE auto-completion: class MyClass { public $foo; } $x = new MyClass(); $x->foo = true; Loading history...
163		}
164		$this->key_stmt->bind_param('s', $id);
165		$this->key_stmt->execute();
166		$this->key_stmt->store_result();
167		if($this->key_stmt->num_rows == 1) {
168		$this->key_stmt->bind_result($key);
		0 ignored issues – show Bug introduced 2016-02-17 21:17 UTC by Report Bug Copy Issue Report Show Similar Issues like this The variable `$key` does not exist. Did you forget to declare it? This check marks access to variables or properties that have not been declared yet. While PHP has no explicit notion of declaring a variable, accessing it before a value is assigned to it is most likely a bug. Loading history...
169		$this->key_stmt->fetch();
170		return $key;
171		} else {
172		$random_key = hash('sha512', uniqid(mt_rand(1, mt_getrandmax()), true));
173		return $random_key;
174		}
175		}
176
177	View Code Duplication	private function encrypt($data, $key) {
178		$salt = 'cH!swe!retReGu7W6bEDRup7usuDUh9THeD2CHeGE*ewr4n39=E@rAsp7c-Ph@pH';
179		$key = substr(hash('sha256', $salt.$key.$salt), 0, 32);
180		$iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
181		$iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
182		$encrypted = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $data, MCRYPT_MODE_ECB, $iv));
183		return $encrypted;
184		}
185	View Code Duplication	private function decrypt($data, $key) {
186		$salt = 'cH!swe!retReGu7W6bEDRup7usuDUh9THeD2CHeGE*ewr4n39=E@rAsp7c-Ph@pH';
187		$key = substr(hash('sha256', $salt.$key.$salt), 0, 32);
188		$iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
189		$iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
190		$decrypted = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, base64_decode($data), MCRYPT_MODE_ECB, $iv);
191		return $decrypted;
192		}
193
194		}
195
196		//estructura para bd
197
198		/*
199
200		CREATE TABLE IF NOT EXISTS `sesion` (
201		`id` char(128) NOT NULL,
202		`set_time` char(10) NOT NULL,
203		`data` text NOT NULL,
204		`session_key` char(128) NOT NULL,
205		PRIMARY KEY (`id`)
206		) ENGINE=InnoDB DEFAULT CHARSET=latin1;
207
208		*/
209

webcol / Calima

GitHub Access Token became invalid

Issues (699)

Security Analysis not enabled

Sistema/Nucleo/CFSesion.php (12 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like