php教程

openssl_random_pseudo_bytes

(PHP 5 >= 5.3.0, PHP 7)

openssl_random_pseudo_bytes生成一个伪随机字节串

说明

openssl_random_pseudo_bytes ( int $length [, bool &$crypto_strong ] ) : string

生成一个伪随机字节串 string ,字节数由 length 参数指定。

通过 crypto_strong 参数可以表示在生成随机字节的过程中是否使用了强加密算法。返回值为FALSE的情况很少见,但已损坏或老化的有些系统上会出现。

参数

length

所需字节串的长度,必须为正整数。PHP会试着将该参数转换为非空整数来使用它。

crypto_strong

如果传递到该函数中,将会保存为一个 boolean 值来表明是否使用了"强加密",如果被用于GPG和密码之类的将返回TRUE , 否则返回 FALSE

返回值

成功,返回生成的字节串 string , 或者在失败时返回 FALSE.

范例

Example #1 openssl_random_pseudo_bytes() 范例:

<?php
for ($i = -1$i <= 4$i++) {
    $bytes openssl_random_pseudo_bytes($i$cstrong);
    $hex   bin2hex($bytes);

    echo "Lengths: Bytes: $i and Hex: " strlen($hex) . PHP_EOL;
    var_dump($hex);
    var_dump($cstrong);
    echo PHP_EOL;
}
?>

以上例程的输出类似于:

Lengths: Bytes: -1 and Hex: 0
string(0) ""
NULL

Lengths: Bytes: 0 and Hex: 0
string(0) ""
NULL

Lengths: Bytes: 1 and Hex: 2
string(2) "42"
bool(true)

Lengths: Bytes: 2 and Hex: 4
string(4) "dc6e"
bool(true)

Lengths: Bytes: 3 and Hex: 6
string(6) "288591"
bool(true)

Lengths: Bytes: 4 and Hex: 8
string(8) "ab86d144"
bool(true)

参见

  • random_bytes() - Generates cryptographically secure pseudo-random bytes
  • bin2hex() - 函数把包含数据的二进制字符串转换为十六进制值
  • crypt() - 单向字符串散列
  • mt_rand() - 生成更好的随机数
  • uniqid() - 生成一个唯一ID

User Contributed Notes

atesin () gmail ! com 24-Feb-2018 04:08
if unavailable use this with core functions... maybe not as secure and optimized (any help?), but practical

<?php

$bytes = '';
while (strlen($bytes) < $lenght)
  $bytes .= chr(mt_rand(0, 255));

?>
umairkhi at hotmail dot com 05-Dec-2017 07:07
After the fix of insecure number generation here:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8867

This function as well as the text here needs an update. I believe this function is safe to use in FIPS compliant apps as well as it now used RAND_bytes instead of  the insecure RAND_pseudo_bytes().
Karsey 31-Oct-2017 05:18
Why does bin2hex return twice as many characters as bytes?
powtac at gmx dot de 15-Jan-2016 02:55
[Editor's note: the bug has been fixed as of PHP 5.4.44, 5.5.28 and PHP 5.6.12]

Until PHP 5.6 openssl_random_pseudo_bytes() did NOT use a "cryptographically strong algorithm"!
See bug report https://bugs.php.net/bug.php?id=70014 and the corresponding source code at https://github.com/php/php-src/blob/php-5.6.10/ext/openssl/openssl.c#L5408
nahun@telemako 13-Sep-2013 07:25
Here's an example to show the distribution of random numbers as an image. Credit to Hayley Watson at the mt_rand page for the original comparison between rand and mt_rand.

rand is red, mt_rand is green and openssl_random_pseudo_bytes is blue.

NOTE: This is only a basic representation of the distribution of the data. Has nothing to do with the strength of the algorithms or their reliability.

<?php
header("Content-type: image/png");
$sizex=800;
$sizey=800;

$img = imagecreatetruecolor(3 * $sizex,$sizey);
$r = imagecolorallocate($img,255, 0, 0);
$g = imagecolorallocate($img,0, 255, 0);
$b = imagecolorallocate($img,0, 0, 255);
imagefilledrectangle($img, 0, 0, 3 * $sizex, $sizey, imagecolorallocate($img, 255, 255, 255));

$p = 0;
for($i=0; $i < 100000; $i++) {
    $np = rand(0,$sizex);
    imagesetpixel($img, $p, $np, $r);
    $p = $np;
}

$p = 0;
for($i=0; $i < 100000; $i++) {
    $np = mt_rand(0,$sizex);
    imagesetpixel($img, $p + $sizex, $np, $g);
    $p = $np;
}

$p = 0;
for($i=0; $i < 100000; $i++) {
    $np = floor($sizex*(hexdec(bin2hex(openssl_random_pseudo_bytes(4)))/0xffffffff));
    imagesetpixel($img, $p + (2*$sizex), $np, $b);
    $p = $np;
}

imagepng($img);
imagedestroy($img);
?>
Anonymous 06-May-2012 12:17
Another way to get random 32bit ints:
function myRand($max){
    do{
        $result = floor($max*(hexdec(bin2hex(openssl_random_pseudo_bytes(4)))/0xffffffff));
    }while($result == $max);
    return $result;
}
christophe dot weis at statec dot etat dot lu 09-Jun-2011 12:09
Another replacement for rand() using OpenSSL.

Note that a solution where the result is truncated using the modulo operator ( % ) is not cryptographically secure, as the generated numbers are not equally distributed, i.e. some numbers may occur more often than others.

A better solution than using the modulo operator is to drop the result if it is too large and generate a new one.

<?php
function crypto_rand_secure($min, $max) {
        $range = $max - $min;
        if ($range == 0) return $min; // not so random...
        $log = log($range, 2);
        $bytes = (int) ($log / 8) + 1; // length in bytes
        $bits = (int) $log + 1; // length in bits
        $filter = (int) (1 << $bits) - 1; // set all lower bits to 1
        do {
            $rnd = hexdec(bin2hex(openssl_random_pseudo_bytes($bytes, $s)));
            $rnd = $rnd & $filter; // discard irrelevant bits
        } while ($rnd >= $range);
        return $min + $rnd;
}
?>
crrodriguez at opensuse dot org 19-Jan-2011 09:32
Remember to request at very least 8 bytes of entropy, ideally 32 or 64, to avoid possible theorical bruteforce attacks.
acatalept at gmail 11-Jan-2011 11:24
FYI, openssl_random_pseudo_bytes() can be incredibly slow under Windows, to the point of being unusable.  It frequently times out (>30 seconds execution time) on several Windows machines of mine.

Apparently, it's a known problem with OpenSSL (not PHP specifically).

See: http://www.google.com/search?q=openssl_random_pseudo_bytes+slow
Tyler Larson 21-Aug-2009 02:29
If you don't have this function but you do have OpenSSL installed, you can always fake it:

<?php
    function openssl_random_pseudo_bytes($length) {
        $length_n = (int) $length; // shell injection is no fun
        $handle = popen("/usr/bin/openssl rand $length_n", "r");
        $data = stream_get_contents($handle);
        pclose($handle);
        return $data;
    }
?>

CopyRight © 2008-2022 verySource.Com All Rights reserved. 京ICP备17048824号-1 京公网安备:11010502034788