I like the concept in principle. But implementing it is non trivial.

First, you need a base-conversion function that will allow you to convert
between arbitrary bases (base_convert() won't work, because it only works
on fixed bases, and on numbers < INT_MAX)... Here's a utility class that
does just that:
https://github.com/ircmaxell/PHP-CryptLib/blob/master/lib/CryptLib/Core/BaseConverter.php

It works on arrays internally, since they are easier to work with in PHP,
but in C I would make it work with a char* array instead...

As far as the implementation itself, I would also add a third parameter for
crypto_safe. We could take mcrypt_create_iv's approach, and use DEV
constants:

// Crypto Secure
random_string(24, "chars", DEV_RANDOM);

// Crypto Strong, But Not Secure
random_string(24, "chars", DEV_URANDOM);

// Non-Crypto
random_string(24, "chars", DEV_RAND);

Having it default to DEV_RAND...



If this is something that's desired, I can update the password
implementation to include this change (since it depends on a function like
this internally)...

Anthony

On Mon, Jul 16, 2012 at 9:58 AM, Andrew Faulds <ajf...@googlemail.com>wrote:

> This sounds very useful. To make it easier to use, why not also add
> some string constants, something like CHARS_HEX, CHARS_BASE64,
> CHARS_DECIMAL, etc? Then you could just do `random_string(24,
> CHARS_HEX);` to get a 24-char hex string.
>
> On 16 July 2012 14:54, Nikita Popov <nikita....@gmail.com> wrote:
> > Hi all,
> >
> > I just want to throw a quick thought in here:
> >
> > The password API proposal includes a function called
> > password_make_salt(), that basically creates a random string, either
> > in raw binary form, or in the bcrypt salt format. Personally I don't
> > see much use for the function in the salt context as the password API
> > already generates the salt all by itself, but I do see a lot of use
> > for a random string function in general. People commonly want to
> > create random strings according to some format. Like CSRF tokens, ids,
> > etc.
> >
> > So my thought was to drop password_make_salt() and instead add some
> > kind of generalized random_string() function:
> >
> >     // this is a 20 byte random binary string
> >     $str = random_string(20);
> >
> >     // ten random hex characters
> >     $str = random_string(10, "0123456789ABCDEF");
> >
> >     // 15 characters from the bcrypt alphabet 0-9a-zA-Z./
> >     $str = random_string(15,
> > "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ./");
> >
> >     // if it's not too hard to implement, one could support this kind
> > of shortcut:
> >     $str = random_string(15, "0-9a-zA-Z./");
> >
> > Thoughts?
> >
> > Nikita
> >
> > --
> > PHP Internals - PHP Runtime Development Mailing List
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
>
>
>
> --
> Andrew Faulds (AJF)
> http://ajf.me/
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

Reply via email to