On Sun, Aug 23, 2015 at 10:30 PM, Thomas Bley <ma...@thomasbley.de> wrote:
>
>
>
> Nikita Nefedov wrote on 23.08.2015 18:27:
>
> >
> >
> >> On 23 Aug 2015, at 18:37, Thomas Bley <ma...@thomasbley.de> wrote:
> >>
> >>
> >> consider this code:
> >>
> >> declare(strict_types=0);
> >> ini_set('display_errors', '1');
> >>
> >> function get_random_int(): int {
> >> return false;
> >> }
> >> echo get_random_int();
> >>
> >> and then use strict_types=1
> >
> > So you're implying that in case of returning false with strict_types turned
> > on
> > that would just throw a TypeError? That would be a bug in PHP. If you were
> > saying that in this case it should throw a different kind of error (the one
> > that was proposed by Anthony initially) then it wouldn't make sense again
> > because then you're creating a straight relation between having strict_types
> > mode turned on and random_int() throwing exception about not getting a
> > reliable
> > source of entropy.
> >
> >
> >> Even correct return values of random_int() might create bad passwords.
> >> So I propose to have a function in core which tests the strength of the
> >> password:
> >>
> >> $password = '';
> >> for ($i = 0; $i < 10; $i++) {
> >> $password .= $characters[random_int(0, 30)];
> >> }
> >> if (password_strength($password) < PHP_PASSWORD_STRONG) {
> >> throw new Exception("password not strong enough");
> >> }
> >
> > I don't think it's a good idea, a language delivers features that user would
> > have a hard time implementing themselves, a small blocks from which you can
> > build whatever you want. A function that checks if a string contains
> > alpha-numeric symbols as well as punctuation is pretty easy to implement in
> > user land.
>
> If it would be so easy to implement this function, there would be no problems
> with weak passwords in PHP software.
> You can also implement fopen('/dev/urandom','rb') in userland without having
> random_int().
>
> Regards
> Thomas
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>
Hi Thomas,
There is no /dev/urandom on the Windows operating system, so that
system is not universal.
I invite you to look at random_compat and see the effort that has gone
into writing a congruent feature using only PHP 5 features.
https://github.com/paragonie/random_compat
Scott Arciszewski
Chief Development Officer
Paragon Initiative Enterprises <https://paragonie.com>
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
