The Random package by Stephen Rees-Carter, generates cryptographically secure random values in a range of different formats through a simple helper package for PHP. Here is why this package was created:
Something I commonly encounter during my security audits (especially on older codebases) is insecure randomness, usually in places where security is required. It’s usually using some form of
rand()
, often injected insidemd5()
to generate a random hash, combined withstr_shuffle()
to generate new passwords, or used to make an One-Time Password (OTP) withrand(100_000, 999_999)
.
The problem is
rand()
is not cryptographically secure, and neither ismt_rand()
,mt_srand()
,str_shuffle()
,array_rand()
, or of the other insecure functions available in PHP. We can’t simply declare these methods insecure, drop the mic, and walk away. Instead, we need to provide secure alternatives - so rather than simply saying “don’t userand()
in that way”, we can say “here’s a secure method you can use instead”!
Here are some examples of what you can do with this Random package:
Random One-Time Password (Numeric fixed-length OTPs)
Generate a random numeric one-time password (OTP) of $length digits:
$otp = Random::otp(int $length): string;
Useful for generating OTPs for SMS or email verification codes.
Random String
Generate a random string of $length characters, which includes characters from the enabled character types. By default, it will randomly select characters and not guarantee any specific character types are present. If you require one of each character to be included, you can set $requireAll = true.
// Primary method
$string = Random::string(
int $length = 32,
bool $lower = true,
bool $upper = true,
bool $numbers = true,
bool $symbols = true,
bool $requireAll = false
): string;
The string method also comes with nice wrappers for common use cases:
// Random letters only
$letters = Random::letters(int $length = 32): string;
// Random alphanumeric (letters and numbers) token string
$token = Random::token(int $length = 32): string;
// Random letters, numbers, and symbols (i.e. a random password).
$password = Random::password(int $length = 16, bool $requireAll = false): string;
// Random alphanumeric token string with chunks separated by dashes, making it easy to read and type.
$password = Random::dashed(int $length = 25, string $delimiter = '-', int $chunkLength = 5, bool $mixedCase = true): string;
Shuffle Array, String, or Collection
Securely shuffle an array, string, or Laravel Collection, optionally preserving the keys.
$shuffled = Random::shuffle(
array|string|\Illuminate\Support\Collection $values,
bool $preserveKeys = false
): array|string|\Illuminate\Support\Collection;
And more
Visit the official package page on GitHub for complete details, and also check out the announcement post.
The post The Random package generates cryptographically secure random values appeared first on Laravel News.
Join the Laravel Newsletter to get all the latest Laravel articles like this directly in your inbox.