On Wed, Dec 21, 2011 at 3:31 PM, Tom Worster <f...@thefsb.org> wrote:
>
> 1. /dev/random and /dev/urandom are unavailable on Windows and
> cannot be fopen()¹ed in safe mode on *nix/nux
Safe mode has been deprecated for two and a half years.. Adding features to
work around its limitations is (IMO) a bad idea..
Can't argue with it being unavailable on windows..
>
>
> 2. openssl_random_pseudo_bytes() requires openssl extension
> installed and enabled. Most of the popular AMP packages for
> Windows fail on this count. Many shared web hosts don¹t have it
> either.
As far as I remember, WAMP Server (Arguably the most popular AMP package
for windows) does include openssl support. Its simply disabled by default
like everything else! Some quick googling seems to confirm this..
Some more googling confirms XAMPP also includes OpenSSL out of the box..
>
>
> 3. mcrypt_create_iv() depends on mcrypt extension and so suffers
> similar problems as openssl
mcrypt again comes with both WAMP and XAMPP servers, but disabled by
default.
> 4. Another method is to set runtime config param
> session.entropy_length followed by @session_start();
> session_regenerate_id(); after which session_id() will return a
> CS random string, but this is also foiled by safe mode.
This is obviously not a solution, even if it worked... ;)
>
>
> 5. On Windows you could try COM('CAPICOM.Utilities.1')->GetRandom
> but that API is obsolescent and not in many default Windows
> installs.
I can't speak for windows specific APIs So I'm going to ignore the rest!
It seems that the two preferable cross platform options (openssl and
mcrypt) are already both widely available on all platforms, I'm not sure I
see the need to be honest.
Kiall
