On 2/26/15, 12:59 AM, "Sammy Kaye Powers" <m...@sammyk.me> wrote:
>I don't know why everyone says the internals list is so scary - you guys >are great! :) Clearly php-internals participants are all very fine people. I am nevertheless scared brickless of php-internals, which is not the same thing;) >I actually started down this RFC path out of frustration on this very >point of needing secure random alphanumeric stings. The originally RFC & >patch contained a `random_hex()` function that would convert bytes from >the CSPRNG into hex. bin2hex(random_bytes(8)) is so easy i don't think a new shorthand function is worth it. >The use case that I have seen most needed in user-land is in fact for >random alphanumeric strings so that they can generate CSRF tokens. Every >CRUD app could be affected by this. So I'm still +1 for having a built-in >function to get back arbitrary alphanumeric strings. But this can be done >with `bin2hex(random_bytes(16))` or `base64_encode(random_bytes(16))` so >I won't fight it too much. :) Using a 64-character alphabet is a bit more involved and is needed so often that we put it in Yii2's security class. base64 actually uses 65 characters, 3 of which aren't transparent to URL encoding. -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
