I like the concept in principle. But implementing it is non trivial. First, you need a base-conversion function that will allow you to convert between arbitrary bases (base_convert() won't work, because it only works on fixed bases, and on numbers < INT_MAX)... Here's a utility class that does just that: https://github.com/ircmaxell/PHP-CryptLib/blob/master/lib/CryptLib/Core/BaseConverter.php
It works on arrays internally, since they are easier to work with in PHP, but in C I would make it work with a char* array instead... As far as the implementation itself, I would also add a third parameter for crypto_safe. We could take mcrypt_create_iv's approach, and use DEV constants: // Crypto Secure random_string(24, "chars", DEV_RANDOM); // Crypto Strong, But Not Secure random_string(24, "chars", DEV_URANDOM); // Non-Crypto random_string(24, "chars", DEV_RAND); Having it default to DEV_RAND... If this is something that's desired, I can update the password implementation to include this change (since it depends on a function like this internally)... Anthony On Mon, Jul 16, 2012 at 9:58 AM, Andrew Faulds <ajf...@googlemail.com>wrote: > This sounds very useful. To make it easier to use, why not also add > some string constants, something like CHARS_HEX, CHARS_BASE64, > CHARS_DECIMAL, etc? Then you could just do `random_string(24, > CHARS_HEX);` to get a 24-char hex string. > > On 16 July 2012 14:54, Nikita Popov <nikita....@gmail.com> wrote: > > Hi all, > > > > I just want to throw a quick thought in here: > > > > The password API proposal includes a function called > > password_make_salt(), that basically creates a random string, either > > in raw binary form, or in the bcrypt salt format. Personally I don't > > see much use for the function in the salt context as the password API > > already generates the salt all by itself, but I do see a lot of use > > for a random string function in general. People commonly want to > > create random strings according to some format. Like CSRF tokens, ids, > > etc. > > > > So my thought was to drop password_make_salt() and instead add some > > kind of generalized random_string() function: > > > > // this is a 20 byte random binary string > > $str = random_string(20); > > > > // ten random hex characters > > $str = random_string(10, "0123456789ABCDEF"); > > > > // 15 characters from the bcrypt alphabet 0-9a-zA-Z./ > > $str = random_string(15, > > "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ./"); > > > > // if it's not too hard to implement, one could support this kind > > of shortcut: > > $str = random_string(15, "0-9a-zA-Z./"); > > > > Thoughts? > > > > Nikita > > > > -- > > PHP Internals - PHP Runtime Development Mailing List > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > > -- > Andrew Faulds (AJF) > http://ajf.me/ > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > >
