Login

***kenjis*** · 03-06-2023, 11:33 PM

Is anyone using the following types of random_string()?

Quote:basic: A random number based on mt_rand() (length ignored).
md5: An encrypted random number based on md5() (fixed length of 32).
sha1: An encrypted random number based on sha1() (fixed length of 40).
https://codeigniter4.github.io/CodeIgnit...dom_string

As you know, these values are cryptographically insecure.
I personally do not understand the use case.
I suggest that they be deprecated.

ci-phpunit-test | CodeIgniter Testing Guide | CodeIgniter 3 to 4 Upgrade Helper

**InsiteFX** · 03-06-2023, 11:57 PM

No, I quit using them a while back because like you say they are insecure.

What did you Try? What did you Get? What did you Expect?

Joined CodeIgniter Community 2009. ( Skype: insitfx )

ozornick · 03-08-2023, 01:08 AM

I use "crypto" and "alnum" for generate tokens string. Just random string (w/o security context)

***kenjis*** · 03-09-2023, 12:29 AM

crypto is secure. alnum is not secure now, but I'm going to make it secure.

ci-phpunit-test | CodeIgniter Testing Guide | CodeIgniter 3 to 4 Upgrade Helper

superior · 03-09-2023, 12:59 AM

In the past i've used this for generating hash to compare with payments.
Now using the hash_hmac() and hash_equals() for that, so the above is not being used by me anymore.

tgix · 03-09-2023, 02:44 AM

+1 for alnum, but we are migrating towards ULID

***kenjis*** · 03-09-2023, 02:49 AM

(03-09-2023, 02:44 AM)tgix Wrote: +1 for alnum, but we are migrating towards ULID

What do you mean by +1 for alnum?

My proposal is to make basic/md5/sha1 deprecated.

ci-phpunit-test | CodeIgniter Testing Guide | CodeIgniter 3 to 4 Upgrade Helper

tgix · 03-09-2023, 02:53 AM

(03-09-2023, 02:49 AM)kenjis Wrote:
(03-09-2023, 02:44 AM)tgix Wrote: +1 for alnum, but we are migrating towards ULID

What do you mean by +1 for alnum?

My proposal is to make basic/md5/sha1 deprecated.

OK, I quickly read it as deprecating random_string().

MahishTanzon · 03-17-2023, 12:00 AM

It is important to note that using the basic, md5, and sha1 methods of random_string() may not be secure as they are not cryptographically secure.

While there may be some use cases for these methods, it is recommended to use more secure methods for generating random strings, such as the OpenSSL library.

Considering the potential security risks associated with using these methods, it may be a good idea to deprecate them and encourage the use of more secure options.

***kenjis*** · 03-17-2023, 05:55 PM

Updated the docs:
https://codeigniter4.github.io/CodeIgnit...dom_string

ci-phpunit-test | CodeIgniter Testing Guide | CodeIgniter 3 to 4 Upgrade Helper