Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:61302
Return-Path: <nikita.ppv@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 97937 invoked from network); 16 Jul 2012 13:54:52 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 16 Jul 2012 13:54:52 -0000
Authentication-Results: pb1.pair.com header.from=nikita.ppv@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=nikita.ppv@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 74.125.83.42 as permitted sender)
X-PHP-List-Original-Sender: nikita.ppv@gmail.com
X-Host-Fingerprint: 74.125.83.42 mail-ee0-f42.google.com  
Received: from [74.125.83.42] ([74.125.83.42:39265] helo=mail-ee0-f42.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 16/74-11081-B2D14005 for <internals@lists.php.net>; Mon, 16 Jul 2012 09:54:52 -0400
Received: by eekd17 with SMTP id d17so1074075eek.29
        for <internals@lists.php.net>; Mon, 16 Jul 2012 06:54:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:date:message-id:subject:from:to:content-type;
        bh=jL+9FxOo1D7aoUVIxcuJE6wLugeEs7ZdHQWb8dAT59M=;
        b=tDk/k4ZI/bxD0MAhwaBTF7Bxy/Xoc1shpFN3jmb0BW5x9kitWXdLqvee04azzgyJyv
         qOMIj18zmwSbCd4wo48pEhzofD8U7wreN1LGgbwg36ejwK9ewnLaGXA64ZsVZvIfCjAC
         +MqoEy8sIfDFPcLIDCm1E9VdyezA7jTIb/7z0AcvSpcaT2A/rkKym51Am+RdGAtzdsVx
         eXmKFFNYipnL/eFR+jleO5dTsC8ToYMbG1n3GKHILariJgFjn2ZJS+Y/0QRIQ1WSu/1y
         Jvj44uoDP7gUu5EcMS8BvUIQRbwGGKzB6tsWYh09tR2Gk1l39uueTCONgge3/Zh6y02D
         QxAg==
MIME-Version: 1.0
Received: by 10.152.132.40 with SMTP id or8mr11622040lab.24.1342446887504;
 Mon, 16 Jul 2012 06:54:47 -0700 (PDT)
Received: by 10.152.114.70 with HTTP; Mon, 16 Jul 2012 06:54:47 -0700 (PDT)
Date: Mon, 16 Jul 2012 15:54:47 +0200
Message-ID: <CAF+90c9c-LuEzXyWJYfkQ5ycNYYRTqBB+0NhZDEkhGeQQaeEpw@mail.gmail.com>
To: PHP internals <internals@lists.php.net>
Content-Type: text/plain; charset=ISO-8859-1
Subject: =?ISO-8859-1?Q?Random_string_generation_=28=E1_la_password=5Fmake=5Fsalt=29?=
From: nikita.ppv@gmail.com (Nikita Popov)

Hi all,

I just want to throw a quick thought in here:

The password API proposal includes a function called
password_make_salt(), that basically creates a random string, either
in raw binary form, or in the bcrypt salt format. Personally I don't
see much use for the function in the salt context as the password API
already generates the salt all by itself, but I do see a lot of use
for a random string function in general. People commonly want to
create random strings according to some format. Like CSRF tokens, ids,
etc.

So my thought was to drop password_make_salt() and instead add some
kind of generalized random_string() function:

    // this is a 20 byte random binary string
    $str = random_string(20);

    // ten random hex characters
    $str = random_string(10, "0123456789ABCDEF");

    // 15 characters from the bcrypt alphabet 0-9a-zA-Z./
    $str = random_string(15,
"0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ./");

    // if it's not too hard to implement, one could support this kind
of shortcut:
    $str = random_string(15, "0-9a-zA-Z./");

Thoughts?

Nikita