Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:61316
Return-Path: <alex.aulbach@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 22656 invoked from network); 16 Jul 2012 15:32:05 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 16 Jul 2012 15:32:05 -0000
Authentication-Results: pb1.pair.com header.from=alex.aulbach@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=alex.aulbach@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.160.42 as permitted sender)
X-PHP-List-Original-Sender: alex.aulbach@gmail.com
X-Host-Fingerprint: 209.85.160.42 mail-pb0-f42.google.com  
Received: from [209.85.160.42] ([209.85.160.42:37956] helo=mail-pb0-f42.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 43/E2-09344-4F334005 for <internals@lists.php.net>; Mon, 16 Jul 2012 11:32:05 -0400
Received: by pbbrp12 with SMTP id rp12so11250533pbb.29
        for <internals@lists.php.net>; Mon, 16 Jul 2012 08:32:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=s2WsYSovDjeEJJbWwkcMRGxPioWYQxCkhhSjrHzy14M=;
        b=bMQSlE4AEfy05XvkasXEIl9LrJJXP3G0WRRrWGUseQ+nak95pn4Fkhar6DPdjqFU8d
         kM1U2Q3LC+CxHqFaHS9/wx8/yV8Q5nQ+6DF4icBSOSRepYaVrp9i/Gx1e7PYjQvQsSsB
         g3GoV7VXON4sO7NxxK/cDB5iRETfC16B35H/OYBlfLpeQBLMqM+PRtoQze8dGWbSBOXu
         uD1KD/X6RUeCvAvem0yGffWWwJMFK47gsC+NFC5dlOpAmwam4KpdTL0Q3hXQklddoQXz
         KyU+CybCR0DvvIdMqqH45x9neIexITObITfq6Y53eUoYu3bIZpRitoa2CJ8tVjC4wGo2
         NoPQ==
MIME-Version: 1.0
Received: by 10.68.217.100 with SMTP id ox4mr27354653pbc.87.1342452722388;
 Mon, 16 Jul 2012 08:32:02 -0700 (PDT)
Received: by 10.68.31.7 with HTTP; Mon, 16 Jul 2012 08:32:02 -0700 (PDT)
In-Reply-To: <CAAyV7nHz_0HEV3_E2qJzYMvKUZUzz3vui-2vHZbH=hu3wBLXSQ@mail.gmail.com>
References: <CAF+90c9c-LuEzXyWJYfkQ5ycNYYRTqBB+0NhZDEkhGeQQaeEpw@mail.gmail.com>
	<CAN+gjSe7OR2S0gUON27_thx4dPPvsnj_24a4dxfieL_0mzvFZg@mail.gmail.com>
	<CAAyV7nHz_0HEV3_E2qJzYMvKUZUzz3vui-2vHZbH=hu3wBLXSQ@mail.gmail.com>
Date: Mon, 16 Jul 2012 17:32:02 +0200
Message-ID: <CAKZjf5SUR_Tt4Y4jwK2oYgYusBq4dGvQ75YLOOf8J=kDD=nmDw@mail.gmail.com>
To: Anthony Ferrara <ircmaxell@gmail.com>
Cc: Andrew Faulds <ajfweb@googlemail.com>, Nikita Popov <nikita.ppv@gmail.com>, 
	PHP internals <internals@lists.php.net>
Content-Type: text/plain; charset=ISO-8859-1
Subject: =?ISO-8859-1?Q?Re=3A_=5BPHP=2DDEV=5D_Random_string_generation_=28=E1_la_passwo?=
	=?ISO-8859-1?Q?rd=5Fmake=5Fsalt=29?=
From: alex.aulbach@gmail.com (Alex Aulbach)

I like it. I've looked in some code and found about 8
password-generation-functions. 4 of them have more or less the same
idea behind.

The rest generates more complicated password. E.g. "minimum one
digit", "First letter must be alphabetic". This is easy to implement.
Some generate passwords from syllables (don't ask, no one does that
anymore).


Three suggestions:


1a) If you want to support character classes, you can do it with pcre:
http://www.php.net/manual/en/regexp.reference.character-classes.php

The idea is the following:

pseudofunction random_string($len, $characters)
{
....
$set = '';
if ($characters "look like a RE consisting of just one character-class") {
  foreach ($charset as $char) {
     // If the regex matches one of the chars, it is in the character class!
     if (preg_match($characters, $char)) {
         // add char to $set
         $set .= $char;
     }
  }
} else {
  $set = $characters;
}
....


-- "look like RE consisting of just one character-class" : something
like "/^\/\[.*\]\/[^/]*$/s" - not tested this, but explained: search
for "/[...]/...". Some cases here are untested ([, ] and so on), needs
more thinking, when I have time, but will be enough for prove of
concept. Making it easier is always possible.
-- $charset : The chars from 0 to 255.

With this you can avoid to parse or define the character-classes
yourself and it is normally fast enough. If you want to have it faster
see suggestion 3.


1b) And it has some more functionality: For germans the alphabet
constists out of 30 chars. PCRE normally considers this! [:alpha:] for
german locals differs from [:alpha:] for english.

Is this wanted? I think, the localisation should be by default off;
nobody really needs to generate passwords with umlauts.


1c) For the standard cases like "a-zA-Z0-9" etc. constants could be useful.



2. Whats about Unicode? Do Japanese people want to have japanese passwords?


3. Because generating a string from character-classes is very handy in
general for some other things (many string functions have it), I
suggest that it is not part of random_string(). Make a new function
str_from_character_class(), or if you use pcre like above
pcre_str_from_character_class()?


-- 
Alex Aulbach