random_bytes() / random_int() / uniqid() Since: PHP 7.0(2015)
Functions for generating cryptographically secure random values and unique IDs. Use these for token generation and security-related purposes.
Syntax
// Generates a cryptographically secure random byte string. random_bytes($length); // Generates a cryptographically secure random integer. random_int($min, $max); // Generates a unique ID. Do not use for cryptographic purposes. uniqid($prefix, $more_entropy); // Converts binary data to a hexadecimal string. bin2hex($data);
Function List
| Function | Description |
|---|---|
| random_bytes($length) | Returns a CSPRNG-generated random byte string of the specified length. Use this for generating tokens and salts. |
| random_int($min, $max) | Returns a CSPRNG-generated random integer within the specified range. Guarantees an unbiased, uniform distribution. |
| uniqid($prefix, $more_entropy) | Generates a unique ID based on microseconds. It is predictable, so do not use it for security purposes. |
| bin2hex($data) | Converts binary data to a hexadecimal string. Use this to turn the output of random_bytes() into a readable string. |
Sample Code
<?php
// Generating a CSRF token using a cryptographically secure method.
$csrf_token = bin2hex(random_bytes(32));
echo $csrf_token; // Outputs a 64-character hexadecimal string.
// Generating a token for password reset.
$reset_token = bin2hex(random_bytes(32));
echo strlen($reset_token); // Outputs '64'.
// Generating a secure random integer with random_int().
echo random_int(1, 100); // Outputs a random integer between 1 and 100.
echo random_int(0, 999999); // Useful for generating a 6-digit verification code.
// Generating a 6-digit one-time password.
$otp = sprintf('%06d', random_int(0, 999999));
echo $otp; // Outputs a zero-padded 6-digit number such as '042857'.
// Generating an API key.
$api_key = 'sk_' . bin2hex(random_bytes(24));
echo $api_key; // Outputs a 51-character string starting with 'sk_'.
// uniqid() is suitable for cases where only uniqueness is needed, such as filenames or log IDs.
echo uniqid(); // Outputs a 13-character ID such as '65f2a1b3c4d5e'.
echo uniqid('user_'); // Outputs an ID with a prefix, such as 'user_65f2a1b3c4d5e'.
echo uniqid('', true); // Outputs an ID with added entropy, such as '65f2a1b3c4d5e8.12345678'.
// Regenerating the session ID.
session_regenerate_id(true); // Effective against session hijacking.
// Example function for generating a random string.
function generate_random_string(int $length = 16): string {
$bytes = random_bytes($length);
return substr(base64_encode($bytes), 0, $length);
}
echo generate_random_string(20); // Outputs a 20-character random string.
Notes
random_bytes() and random_int() are CSPRNG functions added in PHP 7.0. CSPRNG stands for Cryptographically Secure Pseudo-Random Number Generator. Always use random_bytes() or random_int() in situations that require unpredictability, such as security tokens, password reset URLs, CSRF tokens, and API keys. mt_rand() and rand() are predictable and must not be used for security purposes.
uniqid() generates values based on microseconds, so it produces unique IDs, but it is not cryptographically secure. Use it only in situations unrelated to security, such as generating filenames or log identifiers.
For password hashing, see password_hash(). For generating hash values, see hash().
If you find any errors or copyright issues, please contact us.
シェアする