Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:88685 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 69402 invoked from network); 5 Oct 2015 16:37:59 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 5 Oct 2015 16:37:59 -0000 Authentication-Results: pb1.pair.com smtp.mail=fsb@thefsb.org; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=fsb@thefsb.org; sender-id=pass Received-SPF: pass (pb1.pair.com: domain thefsb.org designates 173.203.187.107 as permitted sender) X-PHP-List-Original-Sender: fsb@thefsb.org X-Host-Fingerprint: 173.203.187.107 smtp107.iad3a.emailsrvr.com Linux 2.6 Received: from [173.203.187.107] ([173.203.187.107:34747] helo=smtp107.iad3a.emailsrvr.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id A9/11-61918-567A2165 for ; Mon, 05 Oct 2015 12:37:58 -0400 Received: from smtp30.relay.iad3a.emailsrvr.com (localhost.localdomain [127.0.0.1]) by smtp30.relay.iad3a.emailsrvr.com (SMTP Server) with ESMTP id 4DA23380397; Mon, 5 Oct 2015 12:37:55 -0400 (EDT) Received: by smtp30.relay.iad3a.emailsrvr.com (Authenticated sender: fsb-AT-thefsb.org) with ESMTPSA id 3A8E73805D9; Mon, 5 Oct 2015 12:37:54 -0400 (EDT) X-Sender-Id: fsb@thefsb.org Received: from [10.0.1.2] (c-73-4-147-142.hsd1.ma.comcast.net [73.4.147.142]) (using TLSv1 with cipher DES-CBC3-SHA) by 0.0.0.0:465 (trex/5.4.2); Mon, 05 Oct 2015 16:37:55 GMT User-Agent: Microsoft-MacOutlook/14.5.5.150821 Date: Mon, 05 Oct 2015 12:37:51 -0400 To: Scott Arciszewski CC: PHP Internals Message-ID: Thread-Topic: PHP 7.1 - should we add a random_str() function? References: <560EF2AE.4080502@thefsb.org> In-Reply-To: Mime-version: 1.0 Content-type: text/plain; charset="UTF-8" Content-transfer-encoding: 7bit Subject: Re: PHP 7.1 - should we add a random_str() function? From: fsb@thefsb.org (Tom Worster) On 10/5/15, 11:34 AM, "Scott Arciszewski" wrote: > >You mentioned diceware. Incidentally, >https://paragonie.com/blog/2015/07/common-uses-for-csprngs-cryptographical >ly-secure-pseudo-random-number-generators#diceware > >Some problems (i.e. random_int) should be fixed at a language level. >Others, through education. In the end, this might be an education >issue. > >Scott Arciszewski >Chief Development Officer >Paragon Initiative Enterprises Hi Scott, I don't think a random string generator or the other stuff I mentioned should be in standard PHP API. If PHP wants to help with this sort of thing (I think it would be valuable) the better way is a new ext with a class that provides some utility methods and such, as I described before. With respect to your code, if you assume an opcode cache, a trait is a decent way to save a large lookup table, such as the Diceware word list, as a PHP array. Examples in the two data trait classes here: https://github.com/tom--/precis Better still, compile it into PHP. Your random string generator appears to assume either that the $charset string is limited to ASCII7 (Basic Latin) or that the PHP file is latin encoded. I don't think it's a safe assumption to make in 2015. Tom