-
-
Notifications
You must be signed in to change notification settings - Fork 5.2k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
28 additions
and
27 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,47 +1,48 @@ | ||
Securely Generating Random Numbers | ||
Securely Generating Random Strings | ||
================================== | ||
|
||
The Symfony Security component comes with a collection of nice utilities | ||
related to security. These utilities are used by Symfony, but you should | ||
also use them if you want to solve the problem they address. | ||
|
||
Generating a Secure random Number | ||
Generating a Secure Random String | ||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
|
||
Whenever you need to generate a secure random number, you are highly | ||
encouraged to use the Symfony | ||
:class:`Symfony\\Component\\Security\\Core\\Util\\SecureRandom` class:: | ||
Whenever you need to generate a secure random string, you are highly | ||
encouraged to use the | ||
:phpfunction:`random_bytes` function:: | ||
|
||
use Symfony\Component\Security\Core\Util\SecureRandom; | ||
$random = random_bytes(10); | ||
|
||
$generator = new SecureRandom(); | ||
$random = $generator->nextBytes(10); | ||
The function returns a random string, suitable for cryptographic use, of | ||
the number bytes passed as an argument (10 in the above example). | ||
|
||
The | ||
:method:`Symfony\\Component\\Security\\Core\\Util\\SecureRandom::nextBytes` | ||
method returns a random string composed of the number of characters passed as | ||
an argument (10 in the above example). | ||
.. tip:: | ||
|
||
The SecureRandom class works better when OpenSSL is installed. But when it's | ||
not available, it falls back to an internal algorithm, which needs a seed file | ||
to work correctly. Just pass a file name to enable it:: | ||
The ``random_bytes()`` function returns a binary string which may contain the | ||
``\0`` character. This can cause trouble in several common scenarios, such | ||
as storing this value in a database or including it as part of the URL. The | ||
solution is to hash the value returned by ``random_bytes()`` (to do that, you | ||
can use a simple ``md5()`` PHP function). | ||
|
||
use Symfony\Component\Security\Core\Util\SecureRandom; | ||
Generating a Secure Random Number | ||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
|
||
$generator = new SecureRandom('/some/path/to/store/the/seed.txt'); | ||
If you need to generate a cryptographically secure random integer, you should | ||
use the | ||
:phpfunction:`random_int` function:: | ||
|
||
$random = $generator->nextBytes(10); | ||
$hashedRandom = md5($random); // see tip below | ||
$random = random_int(1, 10); | ||
|
||
.. note:: | ||
|
||
If you're using the Symfony Framework, you can get a secure random number | ||
generator via the ``security.secure_random`` service. | ||
PHP 7 and up provide the ``random_bytes()`` and ``random_int()`` functions natively, | ||
for older versions of PHP a polyfill is provided by the `Symfony Polyfill Component`_ | ||
and the `paragonie/random_compat package`_. | ||
|
||
.. tip:: | ||
.. versionadded:: 2.8 | ||
|
||
The ``nextBytes()`` method returns a binary string which may contain the | ||
``\0`` character. This can cause trouble in several common scenarios, such | ||
as storing this value in a database or including it as part of the URL. The | ||
solution is to hash the value returned by ``nextBytes()`` (to do that, you | ||
can use a simple ``md5()`` PHP function). | ||
The `paragonie/random_compat package`_ was added as a dependancy of the Symfony Security Component in 2.8. You will need to manually require the package as a dependancy of your project in versions of Symfony prior to 2.8. | ||
|
||
.. _`Symfony Polyfill Component`: https://github.com/symfony/polyfill | ||
.. _`paragonie/random_compat package`: https://github.com/paragonie/random_compat |