DEV Community

Czar Pino
Czar Pino

Posted on

1 1

PHP Pseudo Random String

#php #security #randomgenerator

When writing a random string generator in PHP, you must first consider whether or not you need a generator for a throwaway string ( e.g. placeholder or sample username) or a sensitive data (like a default password, application token, or salt). If you are generating for the latter, this article is for you.

Arbitrary length strings

Generating a random string in PHP involves two main steps:

  1. First is generating a cryptographically secure set of random bytes
  2. and second is encoding the bytes into a string of printable characters

For generating random bytes, there are two main approaches depending on PHP version. The pre-PHP7 approach uses openssl_random_pseudo_bytes while the PHP7 approach prefers random_bytes. An advantage of the latter is that it is native and does not need additional modules installed. If needed, openssl_random_pseudo_bytes is still available in PHP7 as an extension. But as both functions are considered cryptographically secure generators anyway, random_bytes is the recommended function.

For encoding the bytes into printable characters, there are also a couple of viable approaches. Most popular of these are base64_encode and bin2hex. You generally can't go wrong with either of these although bin2hex does have the advantage of being more predictable in length while base64_encode produces a shorter string with more variety in characters used.

Concretely, here is how you can generate a cryptographically secure random string :

// Pre PHP7
$numOfBytes = 10;
$randomBytes = openssl_random_pseudo_bytes($numOfBytes);
$randomString = base64_encode($randomBytes);

/// PHP7+
$numOfBytes = 10;
$randomBytes = random_bytes($numOfBytes);
$randomString = base64_encode($randomBytes);

If you need some predictability such as generating string with a specific length, encoding bytes using bin2hex will be more suitable despite being limited to even length strings only.

// Need to generate string with length 20!

// First generate 10 random bytes
$randomBytes = random_bytes(10);

// Now encode to get a 20 character string
$randomString = bin2hex($randomBytes);

Exact length strings

If you want complete control on the length of the random string generated, it would be more suitable to use PHP7's random_int function. And if your system is on PHP5, you can use a polyfill library called random_compat.

// Generate a 20 character string
$randomStr = '';
$allowedCharacters='0123456789abcdef';
for (
    $i = 0, $allowedMaxIdx = mb_strlen($allowedCharacters) - 1;
    $i < 20;
    $i ++
) {
    $randomStr .= $allowedCharacters[random_int(0, $allowedMaxIdx)];
}

And that's how you generate secure random strings in PHP. Happy coding!

Originally published at https://plog.czarpino.com/php-pseudorandom-string/

profile
Heroku
 Promoted

Heroku

This site is built on Heroku

Join the ranks of developers at Salesforce, Airbase, DEV, and more who deploy their mission critical applications on Heroku. Sign up today and launch your first app!

Get Started

Top comments (0)

profile
Coherence
 Promoted

Billboard image

The Next Generation Developer Platform

Coherence is the first Platform-as-a-Service you can control. Unlike "black-box" platforms that are opinionated about the infra you can deploy, Coherence is powered by CNC, the open-source IaC framework, which offers limitless customization.

Learn more

Read next

jennythomas498 profile image

Exploring the Cortex Java SDK: Where Blockchain Meets Artificial Intelligence

JennyThomas498 -

ashucommits profile image

Exploring the Ocean Protocol Java SDK: A Game-Changer in Blockchain AI

ashu-commits -

vitalisorenko profile image

Exploring Web3j-NFT: Open Source Innovation in the NFT Ecosystem

Vitali Sorenko -

beatrisilieva profile image

Exploring JavaScript Inheritance: Understanding Prototypes and Classes

Beatris Ilieva -