Created
July 6, 2014 08:38
-
-
Save aligundogdu/03bdeb7fb74878561318 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| was just looking into how to solve this same problem, but I also want my function to create a token that can be used for password retrieval as well. This means that I need to limit the ability of the token to be guessed. Because uniqid is based on the time, and according to php.net "the return value is little different from microtime()", uniqid does not meet the criteria. PHP recommends using openssl_random_pseudo_bytes() instead to generate cryptographically secure tokens. | |
| A quick, short and to the point answer is: | |
| bin2hex(openssl_random_pseudo_bytes($bits)) | |
| which will generate a random string of alphanumeric characters of length = $bits * 2. Unfortunately this only has an alphabet of [a-f][0-9], but it works. | |
| Below is the strongest function I could make that satisfies the criteria (This is an implemented version of Erik's answer). | |
| function crypto_rand_secure($min, $max) { | |
| $range = $max - $min; | |
| if ($range < 0) return $min; // not so random... | |
| $log = log($range, 2); | |
| $bytes = (int) ($log / 8) + 1; // length in bytes | |
| $bits = (int) $log + 1; // length in bits | |
| $filter = (int) (1 << $bits) - 1; // set all lower bits to 1 | |
| do { | |
| $rnd = hexdec(bin2hex(openssl_random_pseudo_bytes($bytes))); | |
| $rnd = $rnd & $filter; // discard irrelevant bits | |
| } while ($rnd >= $range); | |
| return $min + $rnd; | |
| } | |
| function getToken($length){ | |
| $token = ""; | |
| $codeAlphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"; | |
| $codeAlphabet.= "abcdefghijklmnopqrstuvwxyz"; | |
| $codeAlphabet.= "0123456789"; | |
| for($i=0;$i<$length;$i++){ | |
| $token .= $codeAlphabet[crypto_rand_secure(0,strlen($codeAlphabet))]; | |
| } | |
| return $token; | |
| } | |
| crypto_rand_secure($min, $max) works as a drop in replacement for rand() or mt_rand. It uses openssl_random_pseudo_bytes to help create a random number between $min and $max. | |
| getToken($length) creates an alphabet to use within the token and then creates a string of length $length. | |
| EDIT: I neglected to cite source - http://us1.php.net/manual/en/function.openssl-random-pseudo-bytes.php#104322 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment