Random numbers and bytes with PHP7
Playing
01. Random numbers and bytes with PHP7

Episodes

0%
Your progress
  • Total: 5m
  • Played: 0m
  • Remaining: 5m
Join or sign in to track your progress

Transcript

00:00
It feels like we've covered random generation of numbers and strings again and again, and that is true. But the reason for this is that we can't and shouldn't rely on using functions like RAND to perhaps generate a random number, or use something like, say, MD5 to generate a random string. In one video I've covered using the OpenSSL random pseudobytes function,
00:27
and another video showed a package called randomlib. Now either solution is fine, but PHP 7 has introduced two new functions to create cryptographically secure random numbers and bytes. Okay, so before we start looking at these two new functions, why shouldn't we use something like OpenSSL random pseudobytes? Well, there's nothing actually wrong with using this, but for example, if you don't have the OpenSSL extension installed or enabled within your PHP installation,
01:02
it simply will not work. This function will say, this doesn't exist. So this might be fine if you know your environment, but when it comes to transferring your project around to different environments, you might run into trouble. There's also the possibility that this won't generate cryptographically secure bytes, which is fine because we can check this. So if you look here, we have this boolean that's returned, whether it has or hasn't generated cryptographically secure data.
01:36
Or rather, it indicates if a cryptographically strong algorithm was used. So we could check this, but again, it's just unnecessary effort. Now, these two new functions that have been introduced are as follows. We have random int and we have random bytes.
01:56
Now, random int will take a minimum and a maximum value and simply generate an integer for you. And you can see a possible use case here in the docs. So for example, suitable for use where unbiased results are critical, such as when shuffling a deck of cards for a poker game. So in this case, using rand won't be enough.
02:18
If we were to say 1 to 52, this is not enough for that use case. And of course, this might not be for everyone, but there are other uses for this. So let's just have a quick look at this. It's pretty straightforward, but if you do have PHP 7 installed, you'll just want to echo the result or store the result of the random int function.
02:41
And again, we can pass in two numbers here. And this will cryptographically securely or rather generate a number for you. Now, how does this work? Well, if we just take a look at the docs on Windows, this will use CryptGenRandom.
02:58
On Linux, the GetRandomSyscall will be used if available. And on other platforms, DevViewRandom will be used. Now, the most important thing, and this goes for random bytes in a minute, which we'll take a look at. If none of them are available, an exception will be thrown.
03:15
So you can catch that exception and then handle it gracefully. So the more useful and more interesting function we want to take a look at is random bytes. Now, we often, for whatever reason, need to generate a random string, perhaps to include in a password reset URL we send to a user just so we can identify something
03:37
or we use it for things like salting. So let's take a look at how we use this. And then we'll talk a little bit about why we might not use this. So we obviously want to echo the result of random bytes.
03:52
And the reason it's random bytes is important because this won't give you an actual string. So let's do 255 here and see what result we get. So you can see here these are random bytes. It's not a string.
04:03
At least it's not something that we can actually read. So the option here is to use bin to hex or binary to hex. And that will actually give us the string just out here. You can see it's a pretty long string randomly generated.
04:19
So you can see here there's no real speed impact because we're using system functionality to generate this. And we now have a cryptographically secure randomly generated string. So this is much like you'd find using OpenSSL random pseudo bytes
04:36
using an external dependency like RandomLib. And if you're not sure what RandomLib is, we have a series on that. So you can go ahead and check that out. And that's also perfectly acceptable to use.
04:47
So we've now learned about two new PHP 7 functions that make it incredibly easy to just generate this data without even having to think about it. And this is pretty similar to the password hashing API that was introduced within PHP. This makes generating passwords a lot easier and a lot more secure.
05:07
So just a side note in terms of using these two functions in terms of security, if you're looking to generate passwords, please make sure you do actually use the PHP password hashing API. I know we said for random bytes, we can use this for salting.
05:23
However, it's a lot better to use the PHP password hashing API rather than attempt to do anything yourself. Now we have a series on this if you've not heard of it before. So you can go ahead and check that out.
05:36
So as always, make sure you refer back to the documentation when dealing with any security related functions just to keep up to date with any changes and warnings. Have fun.

Episode summary

In this episode, we dive into generating random numbers and strings in PHP—something that's always important, especially when you need things to be secure (think passwords, tokens, or shuffling cards for a game). Up until PHP 7, people often used things like rand() or even md5() to try and get "random" values, but those aren't cryptographically secure and aren't really safe enough for serious use.

Previously, you might have reached for OpenSSL's openssl_random_pseudo_bytes() or third-party packages like RandomLib. The problem is, they can be a pain to use if the right PHP extensions aren't installed, or if you want your code to run everywhere without extra work.

Thankfully, PHP 7 introduced two handy new functions: random_int() and random_bytes(). We walk through how these work, why they're better, and how they make things so much easier. random_int() gives you a securely generated random integer between two values—great for use cases like shuffling a deck of cards. random_bytes() lets you grab any number of securely random bytes, which you can then convert into a readable format with bin2hex() for things like API tokens or unique file names.

We also chat about how these functions work under the hood and what happens if they aren't supported on your system. Plus, there's a reminder to always use the PHP password hashing API if you're dealing with real user passwords, and to keep an eye on documentation for security best practices. It's a practical, code-filled episode that will help you write more secure PHP 7 apps without any third-party fuss!

Episode discussion

No comments, yet. Be the first!