Securely Generating Random Values
Edit this pageWarning: You are browsing the documentation for Symfony 3.1, which is no longer maintained.
Read the updated version of this page for Symfony 6.1 (the current stable version).
Securely Generating Random Values
The Symfony Security component comes with a collection of nice utilities related to security. These utilities are used by Symfony, but you should also use them if you want to solve the problem they address.
Note
The functions described in this article were introduced in PHP 5.6 or 7. For older PHP versions, a polyfill is provided by the Symfony Polyfill Component.
Comparing Strings
The time it takes to compare two strings depends on their differences. This can be used by an attacker when the two strings represent a password for instance; it is known as a Timing attack.
When comparing two passwords, you should use the hash_equals function:
1 2 3
if (hash_equals($knownString, $userInput)) {
// ...
}Generating a Secure Random String
Whenever you need to generate a secure random string, you are highly encouraged to use the random_bytes function:
1
$random = random_bytes(10);The function returns a random string, suitable for cryptographic use, of the number bytes passed as an argument (10 in the above example).
Tip
The random_bytes() function returns a binary string which may contain
the \0 character. This can cause trouble in several common scenarios,
such as storing this value in a database or including it as part of the
URL. The solution is to encode or hash the value returned by
random_bytes() (to do that, you can use a simple base64_encode()
PHP function).
Generating a Secure Random Number
If you need to generate a cryptographically secure random integer, you should use the random_int function:
1
$random = random_int(1, 10);
