1- Securely Comparing Strings and Generating Random Numbers
2- ========================================================
1+ Securely Generating Random Values
2+ =================================
33
44The Symfony Security component comes with a collection of nice utilities
55related to security. These utilities are used by Symfony, but you should
@@ -21,45 +21,41 @@ algorithm; you can use the same strategy in your own code thanks to the
2121 // is some known string (e.g. password) equal to some user input?
2222 $bool = StringUtils::equals($knownString, $userInput);
2323
24- Generating a Secure random Number
24+ Generating a Secure Random String
2525~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2626
27- Whenever you need to generate a secure random number , you are highly
28- encouraged to use the Symfony
29- :class: ` Symfony \\ Component \\ Security \\ Core \\ Util \\ SecureRandom ` class ::
27+ Whenever you need to generate a secure random string , you are highly
28+ encouraged to use the
29+ :phpfunction: ` random_bytes ` function ::
3030
31- use Symfony\Component\Security\Core\Util\SecureRandom ;
31+ $random = random_bytes(10) ;
3232
33- $generator = new SecureRandom();
34- $random = $generator->nextBytes (10);
33+ The function returns a random string, suitable for cryptographic use, of
34+ the number bytes passed as an argument (10 in the above example).
3535
36- The
37- :method: `Symfony\\ Component\\ Security\\ Core\\ Util\\ SecureRandom::nextBytes `
38- method returns a random string composed of the number of characters passed as
39- an argument (10 in the above example).
36+ .. tip ::
4037
41- The SecureRandom class works better when OpenSSL is installed. But when it's
42- not available, it falls back to an internal algorithm, which needs a seed file
43- to work correctly. Just pass a file name to enable it::
38+ The ``random_bytes() `` function returns a binary string which may contain the
39+ ``\0 `` character. This can cause trouble in several common scenarios, such
40+ as storing this value in a database or including it as part of the URL. The
41+ solution is to encode or hash the value returned by ``random_bytes() `` (to do that, you
42+ can use a simple ``base64_encode() `` PHP function).
4443
45- use Symfony\Component\Security\Core\Util\SecureRandom;
44+ Generating a Secure Random Number
45+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
4646
47- $generator = new SecureRandom('/some/path/to/store/the/seed.txt');
47+ If you need to generate a cryptographically secure random integer, you should
48+ use the
49+ :phpfunction: `random_int ` function::
4850
49- $random = $generator->nextBytes(10);
50- $hashedRandom = md5($random); // see tip below
51+ $random = random_int(1, 10);
5152
5253.. note ::
5354
54- If you're using the Symfony Framework, you can get a secure random number
55- generator via the ``security.secure_random `` service.
56-
57- .. tip ::
58-
59- The ``nextBytes() `` method returns a binary string which may contain the
60- ``\0 `` character. This can cause trouble in several common scenarios, such
61- as storing this value in a database or including it as part of the URL. The
62- solution is to hash the value returned by ``nextBytes() `` (to do that, you
63- can use a simple ``md5() `` PHP function).
55+ PHP 7 and up provide the ``random_bytes() `` and ``random_int() `` functions natively,
56+ for older versions of PHP a polyfill is provided by the `Symfony Polyfill Component `_
57+ and the `paragonie/random_compat package `_.
6458
6559.. _`Timing attack` : https://en.wikipedia.org/wiki/Timing_attack
60+ .. _`Symfony Polyfill Component` : https://github.com/symfony/polyfill
61+ .. _`paragonie/random_compat package` : https://github.com/paragonie/random_compat
0 commit comments