jack jack - 3 months ago 8
PHP Question

Cryptographically secure and unique string in PHP

I've been using

$string = bin2hex(openssl_random_pseudo_bytes(16)) . uniqid();


Because I need some string that is both crytopgrahically secure and unique. Question is: is this a naive approach? By using the result of uniqid() tacked onto the end of the string,am I giving away any information that might compromise the security of the string? I ask this because uniqid() is based on system time, and my concern is whether that could give any information away that allows an attacker to guess future outputs?

Thanks

Answer

Why are you tacking uniqid to it? why not just use the first function?

With 16 bytes, there are about 34 followed by 38 zeros possibilities. For almost any application, the risk of collision is negligible. I would stick to just

bin2hex(openssl_random_pseudo_bytes(16))

From the manual:

If you need a cryptographically secure value, consider using random_int(), random_bytes(), or openssl_random_pseudo_bytes()

Comments