When writing a random string generator in PHP, you must first consider whether or not you need a generator for a throwaway string ( e.g. placeholder or sample username) or a sensitive data (like a default password, application token, or salt). If you are generating for the latter, this article is for you.
Arbitrary length strings
Generating a random string in PHP involves two main steps:
- First is generating a cryptographically secure set of random bytes
- and second is encoding the bytes into a string of printable characters
For generating random bytes, there are two main approaches depending on PHP version. The pre-PHP7 approach uses openssl_random_pseudo_bytes
while the PHP7 approach prefers random_bytes
. An advantage of the latter is that it is native and does not need additional modules installed. If needed, openssl_random_pseudo_bytes
is still available in PHP7 as an extension. But as both functions are considered cryptographically secure generators anyway, random_bytes
is the recommended function.
For encoding the bytes into printable characters, there are also a couple of viable approaches. Most popular of these are base64_encode
and bin2hex
. You generally can’t go wrong with either of these although bin2hex
does have the advantage of being more predictable in length while base64_encode
produces a shorter string with more variety in characters used.
Concretely, here is how you can generate a cryptographically secure random string :
// Pre PHP7
$numOfBytes = 10;
$randomBytes = openssl_random_pseudo_bytes($numOfBytes);
$randomString = base64_encode($randomBytes);
/// PHP7+
$numOfBytes = 10;
$randomBytes = random_bytes($numOfBytes);
$randomString = base64_encode($randomBytes);
If you need some predictability such as generating string with a specific length, encoding bytes using bin2hex
will be more suitable despite being limited to even length strings only.
// Need to generate string with length 20!
// First generate 10 random bytes
$randomBytes = random_bytes(10);
// Now encode to get a 20 character string
$randomString = bin2hex($randomBytes);
Exact length strings
If you want complete control on the length of the random string generated, it would be more suitable to use PHP7’s random_int
function. And if your system is on PHP5, you can use a polyfill library called random_compat
.
// Generate a 20 character string
$randomStr = '';
$allowedCharacters='0123456789abcdef';
for (
$i = 0, $allowedMaxIdx = mb_strlen($allowedCharacters) - 1;
$i < 20;
$i ++
) {
$randomStr .= $allowedCharacters[random_int(0, $allowedMaxIdx)];
}
And that’s how you generate secure random strings in PHP. Happy coding!