Securely Generating Random Values
Securely Generating Random Values¶
The Symfony Security component comes with a collection of nice utilities related to security. These utilities are used by Symfony, but you should also use them if you want to solve the problem they address.
Note
The functions described in this article were introduced in PHP 5.6 or 7. For older PHP versions, a polyfill is provided by the Symfony Polyfill Component.
Comparing Strings¶
The time it takes to compare two strings depends on their differences. This can be used by an attacker when the two strings represent a password for instance; it is known as a Timing attack.
When comparing two passwords, you should use the hash_equals
function:
if (hash_equals($knownString, $userInput)) {
// ...
}
Generating a Secure Random String¶
Whenever you need to generate a secure random string, you are highly
encouraged to use the random_bytes function:
$random = random_bytes(10);
The function returns a random string, suitable for cryptographic use, of the number bytes passed as an argument (10 in the above example).
Tip
The random_bytes() function returns a binary string which may contain
the \0 character. This can cause trouble in several common scenarios,
such as storing this value in a database or including it as part of the
URL. The solution is to encode or hash the value returned by
random_bytes() (to do that, you can use a simple base64_encode()
PHP function).
Generating a Secure Random Number¶
If you need to generate a cryptographically secure random integer, you should
use the random_int function:
$random = random_int(1, 10);
This work, including the code samples, is licensed under a Creative Commons BY-SA 3.0 license.