Jump to content

Archived

This topic is now archived and is closed to further replies.

terungwa

how to use the randomlib

Recommended Posts

I am having trouble implementing   Anthony Ferrara's RandomLib library in my custom php  application.

Here's  my code:

 require_once 'RandomLib/Factory.php';
    $factory = new \RandomLib\Factory;
    $generator = $factory->getMediumStrengthGenerator();
    return $generator->generate(16);

Unfortunately, I'm getting the following error:

Fatal error: Class 'SecurityLib\AbstractFactory' not found in C:\wamp\www\RandomLib-master\RandomLib-master\lib\RandomLib\Factory.php on line 30

How do i implement this library?

 

Thanks

Share this post


Link to post
Share on other sites

You need an autoloader (see test/bootstrap.php for an example) and the SecurityLib library. You can use Composer to handle that automatically.

 

But why do you even want this library? There are much easier (and I'd say: more reliable) ways to get random bytes. You can directly access the random number generator of your operating system with mcrypt_create_iv() or openssl_random_pseudo_bytes(). No need for a big third-party library.

Share this post


Link to post
Share on other sites

You need an autoloader (see test/bootstrap.php for an example) and the SecurityLib library. You can use Composer to handle that automatically.

 

But why do you even want this library? There are much easier (and I'd say: more reliable) ways to get random bytes. You can directly access the random number generator of your operating system with mcrypt_create_iv() or openssl_random_pseudo_bytes(). No need for a big third-party library.

 

Hi Jacques1,

I needed to generate random number/string for use in creating One-Time Use URLs for password reset tokens, CSRF tokens and registeration activation tokens.

To ensure unpredictability (random) and a low chance of duplication (collision), I was using this code below:

$token = sha1(uniqid($username, true));

I read here (http://phpsecurity.readthedocs.org/en/latest/Insufficient-Entropy-For-Random-Values.html) that the code above had vulnerabilities and the Anthony Ferrara RandomLib library on Github was recommended, hence my choice.

 

Do you think this openssl_random_pseudo_bytes code below is good to generate random string for the purposes I mentioned above?

function random($len) {
    $bytes = openssl_random_pseudo_bytes($len);
    $hex   = bin2hex($bytes);
    return $hex;
}

Thanks.

Share this post


Link to post
Share on other sites

The OpenSSL function is exactly what the library uses internally.

 

All good random number generators eventually use the randomness device of your operating system (like /dev/urandom), so the source is always the same. The difference is that openssl_random_pseudo_bytes() is a simple function, wheareas RandomLib is a big fat library with some extra features (like mixing multiple sources). Unless you have a specific reason for why you need the extra features of the library, just go with the simple function.

 

In fact, the PHP security tutorial you're reading specifically says that the library is only needed as a fallback in case neither the OpenSSL extension nor the Mcrypt extension are available. You do have the OpenSSL extension, so no need for the fallback.

Share this post


Link to post
Share on other sites

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.