Cara menggunakan php random_bytes

To answer this question specifically, two problems:

1. $randstring is not in scope when you echo it.
2. The characters are not getting concatenated together in the loop.

Here's a code snippet with the corrections:

function generateRandomString($length = 10) {
    $characters = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
    $charactersLength = strlen($characters);
    $randomString = '';
    for ($i = 0; $i < $length; $i++) {
        $randomString .= $characters[rand(0, $charactersLength - 1)];
    }
    return $randomString;
}

Output the random string with the call below:

// Echo the random string.
// Optionally, you can give it a desired string length.
echo generateRandomString();

Please note that this generates predictable random strings. If you want to create secure tokens, see this answer.

steadweb

13.8k3 gold badges28 silver badges41 bronze badges

answered Dec 4, 2010 at 22:57

Stephen WatkinsStephen Watkins

24.4k14 gold badges65 silver badges98 bronze badges

16

Note: str_shuffle() internally uses rand(), which is unsuitable for cryptography purposes (e.g. generating random passwords). You want a secure random number generator instead. It also doesn't allow characters to repeat.

One more way.

UPDATED (now this generates any length of string):

function generateRandomString($length = 10) {
    return substr(str_shuffle(str_repeat($x='0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ', ceil($length/strlen($x)) )),1,$length);
}

echo  generateRandomString();  // OR: generateRandomString(24)

That's it. :)

answered Nov 3, 2012 at 20:04

A. CheshirovA. Cheshirov

4,6461 gold badge12 silver badges13 bronze badges

20

There are a lot of answers to this question, but none of them leverage a Cryptographically Secure Pseudo-Random Number Generator (CSPRNG).

The simple, secure, and correct answer is to use RandomLib and don't reinvent the wheel.

For those of you who insist on inventing your own solution, PHP 7.0.0 will provide random_int() for this purpose; if you're still on PHP 5.x, we wrote a PHP 5 polyfill for random_int() so you can use the new API even before you upgrade to PHP 7.

Safely generating random integers in PHP isn't a trivial task. You should always check with your resident StackExchange cryptography experts before you deploy a home-grown algorithm in production.

With a secure integer generator in place, generating a random string with a CSPRNG is a walk in the park.

Creating a Secure, Random String

/**
 * Generate a random string, using a cryptographically secure 
 * pseudorandom number generator (random_int)
 *
 * This function uses type hints now (PHP 7+ only), but it was originally
 * written for PHP 5 as well.
 * 
 * For PHP 7, random_int is a PHP core function
 * For PHP 5.x, depends on https://github.com/paragonie/random_compat
 * 
 * @param int $length      How many characters do we want?
 * @param string $keyspace A string of all possible characters
 *                         to select from
 * @return string
 */
function random_str(
    int $length = 64,
    string $keyspace = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
): string {
    if ($length < 1) {
        throw new \RangeException("Length must be a positive integer");
    }
    $pieces = [];
    $max = mb_strlen($keyspace, '8bit') - 1;
    for ($i = 0; $i < $length; ++$i) {
        $pieces []= $keyspace[random_int(0, $max)];
    }
    return implode('', $pieces);
}

Usage:

$a = random_str(32);
$b = random_str(8, 'abcdefghijklmnopqrstuvwxyz');
$c = random_str();

Demo: https://3v4l.org/IMJGF (Ignore the PHP 5 failures; it needs random_compat)

answered Jun 29, 2015 at 3:41

Scott ArciszewskiScott Arciszewski

32.6k16 gold badges87 silver badges204 bronze badges

15

This creates a 20 character long hexadecimal string:

$string = bin2hex(openssl_random_pseudo_bytes(10)); // 20 chars

In PHP 7 (random_bytes()):

$string = base64_encode(random_bytes(10)); // ~14 characters, includes /=+
// or
$string = substr(str_replace(['+', '/', '='], '', base64_encode(random_bytes(32))), 0, 32); // 32 characters, without /=+
// or
$string = bin2hex(random_bytes(10)); // 20 characters, only 0-9a-f

answered Sep 4, 2014 at 18:25

8

@tasmaniski: your answer worked for me. I had the same problem, and I would suggest it for those who are ever looking for the same answer. Here it is from @tasmaniski:

<?php 
    $random = substr(md5(mt_rand()), 0, 7);
    echo $random;
?>

Here is a youtube video showing us how to create a random number

answered Feb 10, 2013 at 8:24

HumphreyHumphrey

2,4933 gold badges27 silver badges38 bronze badges

6

Depending on your application (I wanted to generate passwords), you could use

$string = base64_encode(openssl_random_pseudo_bytes(30));

Being base64, they may contain = or - as well as the requested characters. You could generate a longer string, then filter and trim it to remove those.

openssl_random_pseudo_bytes seems to be the recommended way way to generate a proper random number in php. Why rand doesn't use /dev/random I don't know.

answered Feb 6, 2013 at 17:40

rjmunrorjmunro

26.4k19 gold badges108 silver badges132 bronze badges

6

PHP 7+ Generate cryptographically secure random bytes using random_bytes function.

$bytes = random_bytes(16);
echo bin2hex($bytes);

Possible output

da821217e61e33ed4b2dd96f8439056c

PHP 5.3+ Generate pseudo-random bytes using openssl_random_pseudo_bytes function.

$bytes = openssl_random_pseudo_bytes(16);
echo bin2hex($bytes);

Possible output

e2d1254506fbb6cd842cd640333214ad

The best use case could be

function getRandomBytes($length = 16)
{
    if (function_exists('random_bytes')) {
        $bytes = random_bytes($length / 2);
    } else {
        $bytes = openssl_random_pseudo_bytes($length / 2);
    }
    return bin2hex($bytes);
}
echo getRandomBytes();

Possible output

ba8cc342bdf91143

answered Jan 25, 2020 at 3:12

Madan SapkotaMadan Sapkota

23.8k11 gold badges112 silver badges115 bronze badges

7

Here is a simple one-liner that generates a true random string without any script level looping or use of OpenSSL libraries.

echo substr(str_shuffle(str_repeat('0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ', mt_rand(1,10))), 1, 10);

To break it down so the parameters are clear

// Character List to Pick from
$chrList = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';

// Minimum/Maximum times to repeat character List to seed from
$chrRepeatMin = 1; // Minimum times to repeat the seed string
$chrRepeatMax = 10; // Maximum times to repeat the seed string

// Length of Random String returned
$chrRandomLength = 10;

// The ONE LINE random command with the above variables.
echo substr(str_shuffle(str_repeat($chrList, mt_rand($chrRepeatMin,$chrRepeatMax))), 1, $chrRandomLength);

This method works by randomly repeating the character list, then shuffles the combined string, and returns the number of characters specified.

You can further randomize this, by randomizing the length of the returned string, replacing $chrRandomLength with mt_rand(8, 15) (for a random string between 8 and 15 characters).

answered Apr 19, 2014 at 21:18

Kraang PrimeKraang Prime

9,5918 gold badges56 silver badges120 bronze badges

10

A better way to implement this function is:

function RandomString($length) {
    $keys = array_merge(range(0,9), range('a', 'z'));

    $key = "";
    for($i=0; $i < $length; $i++) {
        $key .= $keys[mt_rand(0, count($keys) - 1)];
    }
    return $key;
}

echo RandomString(20);

mt_rand is more random according to this and this in PHP 7. The rand function is an alias of mt_rand.

answered Sep 24, 2012 at 18:08

1

function generateRandomString($length = 15)
{
    return substr(sha1(rand()), 0, $length);
}

Tada!

answered Dec 26, 2012 at 16:32

DavorDavor

1,38716 silver badges32 bronze badges

8

$randstring in the function scope is not the same as the scope where you call it. You have to assign the return value to a variable.

$randstring = RandomString();
echo $randstring;

Or just directly echo the return value:

echo RandomString();

Also, in your function you have a little mistake. Within the for loop, you need to use .= so each character gets appended to the string. By using = you are overwriting it with each new character instead of appending.

$randstring .= $characters[rand(0, strlen($characters))];

answered Dec 4, 2010 at 22:59

BoltClockBoltClock

674k155 gold badges1361 silver badges1333 bronze badges

First, you define the alphabet you want to use:

$alphanum = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
$special  = '[email protected]#$%^&*(){}[],./?';
$alphabet = $alphanum . $special;

Then, use openssl_random_pseudo_bytes() to generate proper random data:

$len = 12; // length of password
$random = openssl_random_pseudo_bytes($len);

Finally, you use this random data to create the password. Because each character in $random can be chr(0) until chr(255), the code uses the remainder after division of its ordinal value with $alphabet_length to make sure only characters from the alphabet are picked (note that doing so biases the randomness):

$alphabet_length = strlen($alphabet);
$password = '';
for ($i = 0; $i < $len; ++$i) {
    $password .= $alphabet[ord($random[$i]) % $alphabet_length];
}

Alternatively, and generally better, is to use RandomLib and SecurityLib:

use SecurityLib\Strength;

$factory = new RandomLib\Factory;
$generator = $factory->getGenerator(new Strength(Strength::MEDIUM));

$password = $generator->generateString(12, $alphabet);

2

I've tested performance of most popular functions there, the time which is needed to generate 1'000'000 strings of 32 symbols on my box is:

2.5 $s = substr(str_shuffle(str_repeat($x='0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ', ceil($length/strlen($x)) )),1,32);
1.9 $s = base64_encode(openssl_random_pseudo_bytes(24));
1.68 $s = bin2hex(openssl_random_pseudo_bytes(16));
0.63 $s = base64_encode(random_bytes(24));
0.62 $s = bin2hex(random_bytes(16));
0.37 $s = substr(md5(rand()), 0, 32);
0.37 $s = substr(md5(mt_rand()), 0, 32);

Please note it is not important how long it really was but which is slower and which one is faster so you can select according to your requirements including cryptography-readiness etc.

substr() around MD5 was added for sake of accuracy if you need string which is shorter than 32 symbols.

For sake of answer: the string was not concatenated but overwritten and result of the function was not stored.

answered Oct 24, 2017 at 12:09

PutnikPutnik

4,9695 gold badges35 silver badges54 bronze badges

1

Here's my simple one line solution to generate a use friendly random password, excluding the characters that lookalike such as "1" and "l", "O" and "0", etc... here it is 5 characters but you can easily change it of course:

$user_password = substr(str_shuffle('abcdefghjkmnpqrstuvwxyzABCDEFGHJKMNPQRSTUVWXYZ23456789'),0,5);

answered Oct 4, 2019 at 14:03

rAthusrAthus

7827 silver badges14 bronze badges

7

Short Methods..

Here are some shortest method to generate the random string

<?php
echo $my_rand_strng = substr(str_shuffle("0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"), -15); 

echo substr(md5(rand()), 0, 7);

echo str_shuffle(MD5(microtime()));
?>

answered Feb 7, 2017 at 6:12

Punit GajjarPunit Gajjar

4,5137 gold badges32 silver badges64 bronze badges

One very quick way is to do something like:

substr(md5(rand()),0,10);

This will generate a random string with the length of 10 chars. Of course, some might say it's a bit more heavy on the computation side, but nowadays processors are optimized to run md5 or sha256 algorithm very quickly. And of course, if the rand() function returns the same value, the result will be the same, having a 1 / 32767 chance of being the same. If security's the issue, then just change rand() to mt_rand()

BassMHL

7,4839 gold badges48 silver badges62 bronze badges

answered Oct 24, 2013 at 16:04

AkatoshAkatosh

4289 silver badges17 bronze badges

0

function gen_uid($l=5){
   return substr(str_shuffle("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"), 10, $l);
}
echo gen_uid();

Default Value[5]: WvPJz

echo gen_uid(30);

Value[30]: cAiGgtf1lDpFWoVwjykNKXxv6SC4Q2

answered Jan 3 at 17:13

Mr. CoderxMr. Coderx

4416 silver badges4 bronze badges

Helper function from Laravel 5 framework

/**
 * Generate a "random" alpha-numeric string.
 *
 * Should not be considered sufficient for cryptography, etc.
 *
 * @param  int  $length
 * @return string
 */
function str_random($length = 16)
{
    $pool = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';

    return substr(str_shuffle(str_repeat($pool, $length)), 0, $length);
}

answered Feb 17, 2015 at 19:03

artnikproartnikpro

5,1064 gold badges35 silver badges38 bronze badges

1

function rndStr($len = 64) {
     $randomData = file_get_contents('/dev/urandom', false, null, 0, $len) . uniqid(mt_rand(), true);
     $str = substr(str_replace(array('/','=','+'),'', base64_encode($randomData)),0,$len);
    return $str;
}

answered Nov 13, 2012 at 14:45

1

This one was taken from adminer sources:

/** Get a random string
* @return string 32 hexadecimal characters
*/
function rand_string() {
    return md5(uniqid(mt_rand(), true));
}

Adminer, database management tool written in PHP.

answered Aug 2, 2016 at 3:15

userlonduserlond

3,4842 gold badges32 silver badges50 bronze badges

from the yii2 framework

/**
 * Generates a random string of specified length.
 * The string generated matches [A-Za-z0-9_-]+ and is transparent to URL-encoding.
 *
 * @param int $length the length of the key in characters
 * @return string the generated random key
 */

function generateRandomString($length = 10) {
    $bytes = random_bytes($length);
    return substr(strtr(base64_encode($bytes), '+/', '-_'), 0, $length);
}

sxn

1571 silver badge7 bronze badges

answered Oct 7, 2020 at 9:45

SXNSXN

891 silver badge3 bronze badges

2

/**
 * @param int $length
 * @param string $abc
 * @return string
 */
function generateRandomString($length = 10, $abc = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ")
{
    return substr(str_shuffle($abc), 0, $length);
}

Source from http://www.xeweb.net/2011/02/11/generate-a-random-string-a-z-0-9-in-php/

mike_t

2,3822 gold badges19 silver badges36 bronze badges

answered Dec 23, 2017 at 10:57

sxnsxn

1571 silver badge7 bronze badges

Another one-liner, which generates a random string of 10 characters with letters and numbers. It will create an array with range (adjust the second parameter to set the size), loops over this array and assigns a random ASCII character (range 0-9 or a-z), then implodes the array to get a string.

$str = implode('', array_map(function () { return chr(rand(0, 1) ? rand(48, 57) : rand(97, 122)); }, range(0, 9)));

Note: this only works in PHP 5.3 and later

answered Aug 1, 2014 at 14:20

kasimirkasimir

1,4681 gold badge20 silver badges24 bronze badges

3

One liner.

It is fast for huge strings with some uniqueness.

function random_string($length){
    return substr(str_repeat(md5(rand()), ceil($length/32)), 0, $length);
}

answered May 19, 2015 at 20:47

2

function randomString($length = 5) {
    return substr(str_shuffle(implode(array_merge(range('A','Z'), range('a','z'), range(0,9)))), 0, $length);
}

answered Jan 20, 2017 at 16:35

Anjith K PAnjith K P

2,14826 silver badges35 bronze badges

Here is how I am doing it to get a true unique random key:

$Length = 10;
$RandomString = substr(str_shuffle(md5(time())), 0, $Length);
echo $RandomString;

You can use time() since it is a Unix timestamp and is always unique compared to other random mentioned above. You can then generate the md5sum of that and take the desired length you need from the generated MD5 string. In this case I am using 10 characters, and I could use a longer string if I would want to make it more unique.

I hope this helps.

answered Apr 9, 2013 at 23:16

sherpasherpa

731 silver badge2 bronze badges

4

The edited version of the function works fine, but there is just one issue I found: You used the wrong character to enclose $characters, so the ’ character is sometimes part of the random string that is generated.

To fix this, change:

$characters = ’0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ’;

to:

$characters = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';

This way only the enclosed characters are used, and the ’ character will never be a part of the random string that is generated.

answered Aug 8, 2012 at 16:18

bmcsweebmcswee

1072 silver badges6 bronze badges

function generateRandomString($length = 10, $hasNumber = true, $hasLowercase = true, $hasUppercase = true): string
{
    $string = '';
    if ($hasNumber)
        $string .= '0123456789';
    if ($hasLowercase)
        $string .= 'abcdefghijklmnopqrstuvwxyz';
    if ($hasUppercase)
        $string .= 'ABCDEFGHIJKLMNOPQRSTUVWXYZ';
    return substr(str_shuffle(str_repeat($x = $string, ceil($length / strlen($x)))), 1, $length);
}

and use:

echo generateRandomString(32);

answered Mar 8, 2021 at 10:36

MRMPMRMP

1831 silver badge5 bronze badges

I liked the last comment which used openssl_random_pseudo_bytes, but it wasn't a solution for me as I still had to remove the characters I didn't want, and I wasn't able to get a set length string. Here is my solution...

function rndStr($len = 20) {
    $rnd='';
    for($i=0;$i<$len;$i++) {
        do {
            $byte = openssl_random_pseudo_bytes(1);
            $asc = chr(base_convert(substr(bin2hex($byte),0,2),16,10));
        } while(!ctype_alnum($asc));
        $rnd .= $asc;
    }
    return $rnd;
}

answered Feb 10, 2013 at 21:02