intelogie / random_compat
PHP 5.x polyfill for random_bytes() and random_int() from PHP 7
Requires
- php: >=5.2.0
Requires (Dev)
- phpunit/phpunit: 4.*|5.*
Suggests
- ext-libsodium: Provides a modern crypto API that can be used to generate random bytes.
- dev-master
- v2.0.2
- v2.0.1
- v2.0.0
- v1.x-dev
- v1.4.1
- v1.4.0
- v1.3.1
- v1.3.0
- 1.2.x-dev
- v1.2.3
- v1.2.2
- v1.2.1
- v1.2.0
- 1.1.6
- 1.1.5
- 1.1.4
- 1.1.3
- 1.1.2
- 1.1.1
- 1.1.0
- 1.0.10
- 1.0.9
- 1.0.8
- 1.0.7
- 1.0.6
- 1.0.5
- 1.0.4
- 1.0.3
- 1.0.2
- v1.0.1
- v1.0.0
- v0.9.7
- 0.9.5
- 0.9.4
- 0.9.3
- 0.9.2
- 0.9.1
- 0.9.0
- dev-github-issue-tpl
- dev-without-openssl
- dev-exceptional
This package is auto-updated.
Last update: 2024-10-29 04:09:15 UTC
README
PHP 5.x polyfill for random_bytes()
and random_int()
created and maintained
by Paragon Initiative Enterprises.
Although this library should function in earlier versions of PHP, we will only consider issues relevant to supported PHP versions. If you are using an unsupported version of PHP, please upgrade as soon as possible.
Important
Although this library has been examined by some security experts in the PHP community, there will always be a chance that we overlooked something. Please ask your favorite trusted hackers to hammer it for implementation errors and bugs before even thinking about deploying it in production.
Do not use the master branch, use a stable release.
For the background of this library, please refer to our blog post on Generating Random Integers and Strings in PHP.
Usability Notice
If PHP cannot safely generate random data, this library will throw an Exception
.
It will never fall back to insecure random data. If this keeps happening, upgrade
to a newer version of PHP immediately.
Installing
With Composer:
composer require paragonie/random_compat
Signed PHP Archive:
As of version 1.2.0, we also ship an ECDSA-signed PHP Archive with each stable release on Github.
- Download the
.phar
,.phar.pubkey
, and.phar.pubkey.asc
files. - (Recommended but not required) Verify the PGP signature of
.phar.pubkey
(contained within the.asc
file) using the PGP public key for Paragon Initiative Enterprises. - Extract both
.phar
and.phar.pubkey
files to the same directory. require_once "/path/to/random_compat.phar";
- When a new version is released, you only need to replace the
.phar
file; the.pubkey
will not change (unless our signing key is ever compromised).
Manual Installation:
- Download a stable release.
- Extract the files into your project.
require_once "/path/to/random_compat/lib/random.php";
Usage
This library exposes the CSPRNG functions added in PHP 7 for use in PHP 5 projects. Their behavior should be identical.
Generate a string of random bytes
try { $string = random_bytes(32); } catch (TypeError $e) { // Well, it's an integer, so this IS unexpected. die("An unexpected error has occurred"); } catch (Error $e) { // This is also unexpected because 32 is a reasonable integer. die("An unexpected error has occurred"); } catch (Exception $e) { // If you get this message, the CSPRNG failed hard. die("Could not generate a random string. Is our OS secure?"); } var_dump(bin2hex($string)); // string(64) "5787c41ae124b3b9363b7825104f8bc8cf27c4c3036573e5f0d4a91ad2eeac6f"
Generate a random integer between two given integers (inclusive)
try { $int = random_int(0, 255); } catch (TypeError $e) { // Well, it's an integer, so this IS unexpected. die("An unexpected error has occurred"); } catch (Error $e) { // This is also unexpected because 0 and 255 are both reasonable integers. die("An unexpected error has occurred"); } catch (Exception $e) { // If you get this message, the CSPRNG failed hard. die("Could not generate a random int. Is our OS secure?"); } var_dump($int); // int(47)
Exception handling
When handling exceptions and errors you must account for differences between PHP 5 and PHP7.
The differences:
- Catching
Error
works, so long as it is caught beforeException
. - Catching
Exception
has different behavior, without previously catchingError
. - There is no portable way to catch all errors/exceptions.
Our recommendation
Always catch Error
before Exception
.
Example
try { return random_int(1, $userInput); } catch (TypeError $e) { // This is okay, so long as `Error` is caught before `Exception`. throw new Exception('Please enter a number!'); } catch (Error $e) { // This is required, if you do not need to do anything just rethrow. throw $e; } catch (Exception $e) { // This is optional and maybe omitted if you do not want to handle errors // during generation. throw new InternalServerErrorException( 'Oops, our server is bust and cannot generate any random data.', 500, $e ); }
Troubleshooting
Exception: "Could not gather sufficient random data"
If an Exception is thrown, then your operating system is not secure.
- If you're on Windows, make sure you enable mcrypt.
- If you're on any other OS, make sure
/dev/urandom
is readable.- FreeBSD jails need to expose
/dev/urandom
from the host OS - If you use
open_basedir
, make sure/dev/urandom
is allowed
- FreeBSD jails need to expose
This library does not (and will not accept any patches to) fall back to an insecure random number generator.
Contributors
This project would not be anywhere near as excellent as it is today if it weren't for the contributions of the following individuals:
- @AndrewCarterUK (Andrew Carter)
- @asgrim (James Titcumb)
- @bcremer (Benjamin Cremer)
- @CodesInChaos (Christian Winnerlein)
- @chriscct7 (Chris Christoff)
- @cs278 (Chris Smith)
- @cweagans (Cameron Eagans)
- @dd32 (Dion Hulse)
- @geggleto (Glenn Eggleton)
- @ircmaxell (Anthony Ferrara)
- @jedisct1 (Frank Denis)
- @juliangut (Julián Gutiérrez)
- @kelunik (Niklas Keller)
- @lt (Leigh)
- @MasonM (Mason Malone)
- @mmeyer2k (Michael M)
- @narfbg (Andrey Andreev)
- @nicolas-grekas (Nicolas Grekas)
- @oittaa
- @oucil (Kevin Farley)
- @redragonx (Stephen Chavez)
- @rchouinard (Ryan Chouinard)
- @SammyK (Sammy Kaye Powers)
- @scottchiefbaker (Scott Baker)
- @skyosev (Stoyan Kyosev)
- @stof (Christophe Coevoet)
- @teohhanhui (Teoh Han Hui)
- @tom-- (Tom Worster)
- @tsyr2ko
- @trowski (Aaron Piotrowski)
- @twistor (Chris Lepannen)
- @voku (Lars Moelleken)
- @xabbuh (Christian Flothmann)