Hi all,

I just want to throw a quick thought in here:

The password API proposal includes a function called
password_make_salt(), that basically creates a random string, either
in raw binary form, or in the bcrypt salt format. Personally I don't
see much use for the function in the salt context as the password API
already generates the salt all by itself, but I do see a lot of use
for a random string function in general. People commonly want to
create random strings according to some format. Like CSRF tokens, ids,
etc.

So my thought was to drop password_make_salt() and instead add some
kind of generalized random_string() function:

    // this is a 20 byte random binary string
    $str = random_string(20);

    // ten random hex characters
    $str = random_string(10, "0123456789ABCDEF");

    // 15 characters from the bcrypt alphabet 0-9a-zA-Z./
    $str = random_string(15,
"0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ./");

    // if it's not too hard to implement, one could support this kind
of shortcut:
    $str = random_string(15, "0-9a-zA-Z./");

Thoughts?

Nikita

-- 
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to