Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:61323 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 49328 invoked from network); 16 Jul 2012 20:20:17 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 16 Jul 2012 20:20:17 -0000 Authentication-Results: pb1.pair.com header.from=keisial@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=keisial@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 74.125.83.42 as permitted sender) X-PHP-List-Original-Sender: keisial@gmail.com X-Host-Fingerprint: 74.125.83.42 mail-ee0-f42.google.com Received: from [74.125.83.42] ([74.125.83.42:54211] helo=mail-ee0-f42.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 46/12-34835-08774005 for ; Mon, 16 Jul 2012 16:20:17 -0400 Received: by eekd17 with SMTP id d17so1213443eek.29 for ; Mon, 16 Jul 2012 13:20:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=iTlOnx5sbhqUym2+Qem6E+zCaNfkliwqTujQ85Ci5iA=; b=wOl9p+kAZGLiNDnzvdtIAMjqpecsr4JdfKic9mee34Fejf4A3eKlUGjEYrFDxhLuQF VnzK8r4GjXgl59eF8A2Gf4n9/jzol06Z58uo3xpIdXfXv8wTUjkhyaa99yjkoxXGACPb lPZsgL2QXRZy9D3R//OGPIbgQanR9Gq8KwMx7cGTepMqzWKJW9/PYBj/ifoLGeVvFaaI EhMo3rfEhYYUWBxSV+fCc8isbTcQGyo2zV0XiQGy2Xg56V/ZBoyXfXggQG47d8iALal6 R1M6GxbnapuFfk/83dFHtr6b75+0UpADIIxbBo0j2WQXuj7YrXxZeS3n8W/cu10wzDnM UwSA== Received: by 10.14.0.130 with SMTP id 2mr10969867eeb.22.1342470014137; Mon, 16 Jul 2012 13:20:14 -0700 (PDT) Received: from [192.168.1.26] (113.Red-83-42-240.dynamicIP.rima-tde.net. [83.42.240.113]) by mx.google.com with ESMTPS id k48sm21702951een.10.2012.07.16.13.20.06 (version=SSLv3 cipher=OTHER); Mon, 16 Jul 2012 13:20:12 -0700 (PDT) Message-ID: <5004775D.601@gmail.com> Date: Mon, 16 Jul 2012 22:19:41 +0200 User-Agent: Thunderbird MIME-Version: 1.0 To: Alex Aulbach CC: Anthony Ferrara , Andrew Faulds , Nikita Popov , PHP internals References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] Random string generation =?ISO-8859-1?Q?=28=E1_l?= =?ISO-8859-1?Q?a_password=5Fmake=5Fsalt=29?= From: keisial@gmail.com (=?ISO-8859-1?Q?=C1ngel_Gonz=E1lez?=) On 16/07/12 17:32, Alex Aulbach wrote: > I like it. I've looked in some code and found about 8 > password-generation-functions. 4 of them have more or less the same > idea behind. > > The rest generates more complicated password. E.g. "minimum one > digit", "First letter must be alphabetic". This is easy to implement. > Some generate passwords from syllables (don't ask, no one does that > anymore). > > > Three suggestions: > > > 1a) If you want to support character classes, you can do it with pcre: > http://www.php.net/manual/en/regexp.reference.character-classes.php > (...) > -- "look like RE consisting of just one character-class" : something > like "/^\/\[.*\]\/[^/]*$/s" - not tested this, but explained: search > for "/[...]/...". Some cases here are untested ([, ] and so on), needs > more thinking, when I have time, but will be enough for prove of > concept. Making it easier is always possible. > -- $charset : The chars from 0 to 255. > > With this you can avoid to parse or define the character-classes > yourself and it is normally fast enough. If you want to have it faster > see suggestion 3. That's more or less what I have thought. If it's a string surrounded by square brackets, it's a character class, else treat as a literal list of characters. ] and - can be provided with the old trick of provide "] as first character", "make - the first or last one". Quite easy to implement, however you can get into problems when dealing with multiple locales. For instance, if the string is in utf-8, you don't want to randomly choose the first byte and then an ascii character. Maybe there should be a parameter for string encoding. Having to detect character limits makes it uglier. > 1b) And it has some more functionality: For germans the alphabet > constists out of 30 chars. PCRE normally considers this! [:alpha:] for > german locals differs from [:alpha:] for english. > > Is this wanted? I think, the localisation should be by default off; > nobody really needs to generate passwords with umlauts. Not something to use as default. You don't want to provide users passwords with characters they can't type. About supporting POSIX classes, that could be cool. But you then need a way to enumerate them. Note that isalpha() will be provided by the C library, so you can't count on having its data. It's possible that PCRE, which we bundle, contains the needed unicode tables. > 3. Because generating a string from character-classes is very handy in > general for some other things (many string functions have it), I > suggest that it is not part of random_string(). Make a new function > str_from_character_class(), or if you use pcre like above > pcre_str_from_character_class()? How would you use such function? If you want to make a string out of them, you would use this new str_random(). If you want to verify if a given character matches a class, you have preg_match(). If you want one arbitrary character from that class, just call str_random() with a length of 1.