Secure Random Number Generation in PHP: A Comprehensive Overview
Cryptography often necessitates the generation of unpredictable random numbers. In PHP, the "mt_rand" function falls short of these requirements. This article delves into a secure method of generating random numbers in PHP itself, addressing the issue of forgotten passwords.
The initially proposed solution involves storing a seed and updating it with each call, as follows:
result = seed seed = sha512(seed . mt_rand())
However, this approach has significant drawbacks. The sha512 function does not magically enhance entropy, and the "mt_rand" call is insufficient to thwart an adversary. Instead, it is advisable to utilize the entropy sources provided by modern operating systems:
Here's a PHP code snippet to generate a secure 128-bit random string:
$pr_bits = ''; if (file_exists("/dev/urandom")) { $fp = fopen('/dev/urandom','rb'); $pr_bits .= fread($fp, 16); fclose($fp); } elseif (class_exists('COM')) { try { $CAPI_Util = new COM('CAPICOM.Utilities.1'); $pr_bits .= $CAPI_Util->GetRandom(16, 0); if ($pr_bits) { $pr_bits = md5($pr_bits, TRUE); } } catch (Exception $ex) { // echo 'Exception: ' . $ex->getMessage(); } } if (strlen($pr_bits) < 16) { // Inform the administrator of the missing pseudorandom generator }
Remember to include both entropy source attempts in your code for maximum portability. While this method may not be foolproof, it offers a significant improvement in security compared to the initial seed-based approach.
The above is the detailed content of How Can I Securely Generate Random Numbers in PHP for Applications Like Password Reset?. For more information, please follow other related articles on the PHP Chinese website!