Blog by Debabratta Jena
Generating cryptographically secured numbers in php

Generating cryptographically secured number/string in php

Last modified on Nov 1, 2020
In php we can generate random numbers using rand() and mt_rand() and cryptographically secured numbers using random_int(), random_bytes(). Thes numbers are used in OTP, password, unique tokens and private salt etc.

First I'll talk about cryptographically secured numbers and later we will discuss about random numbers.

To generate cryptographically secured numbers, there are three functions in php.




random_int() – It generates cryptographically secured random integers in the range min to max. This function was introduced in PHP7.

random_int(int $min,int $max)
It retuns a integer in the range provided as parameters. It returns an error if wrong parameters are given or required level randomness can not be generated.

Random_bytes() – It generates a cryptographically secured random bytes. This function was also introduced in PHP7. It takes one parameter, length of the string that should be returned in bytes. We can use either of the function according to our needs.

random_bytes(int length)
It returns a string of length given as arguments. It returns error if wrong parameters are given or required level randomness can not be generated.

The best thing about random_int is its API is the same as rand() and mt_rand() function. Hence we need not to convert bytes to an int in case if we want an int as our first choice.

If you are using an older verion of php then you should use openssl_random_pseudo_bytes(int,bool)

Dont use functions like array_rand(), shuffle(), or str_shuffle(), it does not provide required level of security to the numbers generated.

Generating random numbers in php

How to generate random number in php
Two ways we can generate random numbers in php using rand() or mt_rand() functions. But output of these functions can generate repeated numbers for smaller range or over longer period of time. So we should use these numbers only for testing purposes or smaller websites where security is not a issue.

So, lets talk about these functions.

Note : If you want to generate cyptographically secured numbers then you shoud see this article. How to generate cryptographicaly secured numbers.

Syntax :
where number1 and number2 is the lower and upper range you provide. Number generated will be in between these two values.

Another function mt_rand() also performs the similar functions but with more uniquness in output and greater speed. mt_rand() functon uses the Mersenne Twister algorithm.

Syntax :
Howevere parameters passsed to both the functions are optional. We can simply call the function without passing any arguments, in that case value generated will be of random length.

mt_rand() function produces a better random value and is 4 times faster than rand().

If you want a random integer between 10 and 100 (inclusive), use mt_rand (10,100).

If repetition of number is not allowed in your project, use mt_rand() instead.
If you like this article, share the knowledge with your friends. It will inspire me to write more.

Published on Oct 13, 2020