Today we introduce the cryptographic pseudorandom number generator (CSPRNG extension) in PHP. Random number generation is actually very simple, using the rand() or mt_rand() function, but this is a random number generator using a more complex algorithm. Rand () is no longer recommended, mt_rand() is faster and is now the dominant function, and cryptographic pseudo-random number generators are password-safe and slightly slower than mt_rand(). It depends on some of the operating system’s functions, which we’ll talk about later.

This encryption extension is already integrated with PHP7 and does not require a special installation. Versions below PHP7 require a separate installation of the extension. If you do not find any of the functions described below when testing, check the current version of PHP.

Pseudo random character generation

var_dump(bin2hex(random_bytes(5)));
// string(10) "f28dc2bdd5"
var_dump(random_bytes(5));
/ / string (5) "� � �"
Copy the code

Random_bytes () generates a different binary string for each call, and the argument is the length of the binary byte. The binary data obtained directly is in garbled format, so we usually need to use bin2hex() to convert the binary to a string in hexadecimal format that we can understand. The result, however, is that the hexadecimal character length we converted is twice as long as the specified character length. The purpose of this function is to generate a secure user password salt, key key, or initialization vector for us.

Each call to random_bytes() generates a string of different contents, and the argument is a random character of character length. In this case, we passed 5 and returned 10 characters. Or we can just remember that it returns twice the number of arguments. As for what this function does, it can generate a secure user password salt, key key, or initialization vector for us.

Pseudo random integer generation

var_dump(random_int(100.999));
var_dump(random_int(-1000.0));
// int(900)
// int(-791)
Copy the code

For integer numbers it is even easier to generate them by providing the random_int() function with two arguments, the range of random integers. This is the same as mt_rand().

Generated source

The generation sources of the above two cryptographic pseudo-random functions are dependent on the operating system, as follows:

  • On Windows, the CryptGenRandom() function is used. Cng-api has been used since 7.2.0
  • On Linux, the Linux Getrandom (2) system call is used
  • On other systems, /dev/urandom is used
  • Otherwise an exception will be thrown

Abnormal situation

These two functions also have corresponding exceptions, such as an exception thrown if the generation source is not found above, of course, there are other factors that can cause exceptions.

  • If no appropriate source of randomness is found, an exception is thrown
  • If the given argument is invalid, TypeError is raised
  • If the given byte length is invalid, an error is raised

conclusion

The function random_bytes() can be used to generate a salt at random. How to safely “salt” your password? The random character generator function (generateSalt) can basically be replaced with this. Do you feel full of harvest, the pace of learning has never stopped, let’s continue to explore more fun content together!!

Test code:

Github.com/zhangyue050…

Reference Documents:

www.php.net/manual/zh/b…