paragonie/random_compat
Composer 安装命令:
composer require paragonie/random_compat
包简介
PHP 5.x polyfill for random_bytes() and random_int() from PHP 7
README 文档
README
PHP 5.x polyfill for random_bytes() and random_int() created and maintained
by Paragon Initiative Enterprises.
Although this library should function in earlier versions of PHP, we will only consider issues relevant to supported PHP versions. If you are using an unsupported version of PHP, please upgrade as soon as possible.
Important
Although this library has been examined by some security experts in the PHP community, there will always be a chance that we overlooked something. Please ask your favorite trusted hackers to hammer it for implementation errors and bugs before even thinking about deploying it in production.
Do not use the master branch, use a stable release.
For the background of this library, please refer to our blog post on Generating Random Integers and Strings in PHP.
Usability Notice
If PHP cannot safely generate random data, this library will throw an Exception.
It will never fall back to insecure random data. If this keeps happening, upgrade
to a newer version of PHP immediately.
Installing
With Composer:
# For libraries and frameworks that support PHP 5 but may be used by
# other software that only supports PHP 7:
composer require paragonie/random_compat:\>=2
# For software that explicitly needs PHP 5 support:
composer require paragonie/random_compat:\<9.99
Signed PHP Archive:
As of version 1.2.0, we also ship an ECDSA-signed PHP Archive with each stable release on Github.
- Download the
.phar,.phar.pubkey, and.phar.pubkey.ascfiles. - (Recommended but not required) Verify the PGP signature of
.phar.pubkey(contained within the.ascfile) using the PGP public key for Paragon Initiative Enterprises. - Extract both
.pharand.phar.pubkeyfiles to the same directory. require_once "/path/to/random_compat.phar";- When a new version is released, you only need to replace the
.pharfile; the.pubkeywill not change (unless our signing key is ever compromised).
Manual Installation:
- Download a stable release.
- Extract the files into your project.
require_once "/path/to/random_compat/lib/random.php";
The entrypoint should be lib/random.php directly, not any of the other files in /lib.
Usage
This library exposes the CSPRNG functions added in PHP 7 for use in PHP 5 projects. Their behavior should be identical.
Generate a string of random bytes
try { $string = random_bytes(32); } catch (TypeError $e) { // Well, it's an integer, so this IS unexpected. die("An unexpected error has occurred"); } catch (Error $e) { // This is also unexpected because 32 is a reasonable integer. die("An unexpected error has occurred"); } catch (Exception $e) { // If you get this message, the CSPRNG failed hard. die("Could not generate a random string. Is our OS secure?"); } var_dump(bin2hex($string)); // string(64) "5787c41ae124b3b9363b7825104f8bc8cf27c4c3036573e5f0d4a91ad2eeac6f"
Generate a random integer between two given integers (inclusive)
try { $int = random_int(0, 255); } catch (TypeError $e) { // Well, it's an integer, so this IS unexpected. die("An unexpected error has occurred"); } catch (Error $e) { // This is also unexpected because 0 and 255 are both reasonable integers. die("An unexpected error has occurred"); } catch (Exception $e) { // If you get this message, the CSPRNG failed hard. die("Could not generate a random int. Is our OS secure?"); } var_dump($int); // int(47)
Exception handling
When handling exceptions and errors you must account for differences between PHP 5 and PHP7.
The differences:
- Catching
Errorworks, so long as it is caught beforeException. - Catching
Exceptionhas different behavior, without previously catchingError. - There is no portable way to catch all errors/exceptions.
Our recommendation
Always catch Error before Exception.
Example
try { return random_int(1, $userInput); } catch (TypeError $e) { // This is okay, so long as `Error` is caught before `Exception`. throw new Exception('Please enter a number!'); } catch (Error $e) { // This is required, if you do not need to do anything just rethrow. throw $e; } catch (Exception $e) { // This is optional and maybe omitted if you do not want to handle errors // during generation. throw new InternalServerErrorException( 'Oops, our server is bust and cannot generate any random data.', 500, $e ); }
Troubleshooting
Exception: "Could not gather sufficient random data"
If an Exception is thrown, then your operating system is not secure.
- If you're on Windows, make sure you enable mcrypt.
- If you're on any other OS, make sure
/dev/urandomis readable.- FreeBSD jails need to expose
/dev/urandomfrom the host OS - If you use
open_basedir, make sure/dev/urandomis allowed
- FreeBSD jails need to expose
This library does not (and will not accept any patches to) fall back to an insecure random number generator.
Version Conflict with [Other PHP Project]
If you're using a project that has a line like this in its composer.json
"require" {
...
"paragonie/random_compat": "~1.1",
...
}
...and then you try to add random_compat 2 (or another library that explicitly requires random_compat 2, such as this secure PHP encryption library), you will get a version conflict.
The solution is to get the project to update its requirement string to allow version 2 and above to be used instead of hard-locking users to version 1.
"require" {
...
- "paragonie/random_compat": "~1.1",
+ "paragonie/random_compat": ">=1",
...
}
Version 9.99.99
Note: There is a special version called 9.99.99 which makes this
library do nothing, but is only installable on PHP 7.
If you're writing software (e.g. a library) that supports PHP 5, but may
be used by software that doesn't, you'll want to allow 9.99.99 to be
installed. The above diff is what you want.
Conversely, if you're writing software that (in and of itself) supports PHP 5, you do not want 9.99.99 to be installed, so you'll want to make this change instead:
"require" {
...
- "paragonie/random_compat": "~1.1",
+ "paragonie/random_compat": ">=1 <9.99",
...
}
To avoid installing "empty" version 9.99.99 you can add replace section
in your root composer.json:
"replace": {
"paragonie/random_compat": "9.99.99"
},
Manifest Read Length Error
If you're using the PHP Archive (Phar) approach rather than Composer, and
you are getting an error message to the effect of "manifest read length
was {int1} should be {int2}", the Phar extension may not be enabled.
See this comment for specific guidance on how to fix this issue.
Contributors
This project would not be anywhere near as excellent as it is today if it weren't for the contributions of the following individuals:
- @AndrewCarterUK (Andrew Carter)
- @asgrim (James Titcumb)
- @bcremer (Benjamin Cremer)
- @chriscct7 (Chris Christoff)
- @CodesInChaos (Christian Winnerlein)
- @ConnorVG (Connor S. Parks)
- @cs278 (Chris Smith)
- @cweagans (Cameron Eagans)
- @dd32 (Dion Hulse)
- @geggleto (Glenn Eggleton)
- @glensc (Elan Ruusamäe)
- @GrahamCampbell (Graham Campbell)
- @ircmaxell (Anthony Ferrara)
- @jdevalk (Joost de Valk)
- @jedisct1 (Frank Denis)
- @juliangut (Julián Gutiérrez)
- @kelunik (Niklas Keller)
- @lt (Leigh)
- @MasonM (Mason Malone)
- @menkaff (Mehran NikNafs)
- @mmeyer2k (Michael M)
- @narfbg (Andrey Andreev)
- @nicolas-grekas (Nicolas Grekas)
- @ocean90 (Dominik Schilling)
- @oittaa
- @oucil (Kevin Farley)
- @philios33 (Phil Nicholls)
- @redragonx (Stephen Chavez)
- @relaxnow (Boy Baukema)
- @rchouinard (Ryan Chouinard)
- @rugk
- @SammyK (Sammy Kaye Powers)
- @scottchiefbaker (Scott Baker)
- @skyosev (Stoyan Kyosev)
- @sthen (Stuart Henderseon)
- @stof (Christophe Coevoet)
- @teohhanhui (Teoh Han Hui)
- @tom-- (Tom Worster)
- @tsyr2ko
- @trowski (Aaron Piotrowski)
- @twistor (Chris Lepannen)
- @vinkla (Vincent Klaiber)
- @voku (Lars Moelleken)
- @xabbuh (Christian Flothmann)
Support Contracts
If your company uses this library in their products or services, you may be interested in purchasing a support contract from Paragon Initiative Enterprises.
paragonie/random_compat 适用场景与选型建议
paragonie/random_compat 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 683.88M 次下载、GitHub Stars 达 8.16k, 最近一次更新时间为 2015 年 07 月 07 日, 在 PHP 生态内属于活跃度较高的组件。
它主要适用于以下技术方向: 「random」 「polyfill」 「csprng」 「pseudorandom」 等业务场景。在实际项目中,围绕这些方向常见需要落地的问题包括:接口对接、性能调优、并发安全、与既有框架(Laravel / ThinkPHP / Yii / Webman 等)的兼容适配,以及生产环境的日志埋点与稳定性保障。
我们在过去多个企业项目中使用过 paragonie/random_compat 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。
基于 paragonie/random_compat 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。
线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。
承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。
与 paragonie/random_compat 相关的其它包
同方向 / 同关键字的高下载量 PHP Composer 包推荐,方便对比选型:
A polyfill for pthreads
The most convenient way to securely generate anything random in PHP
Compatibility layer for emulating enumerations in PHP < 8.1 and native enumerations in PHP >= 8.1
PHP polyfill for the Apache Functions. The aim is to provides functions as the PHP way in order to get them available even if PHP is not running as an Apache module.
Polyfill for mb_ereg(), mb_eregi(), mb_ereg_match(), and mb_ereg_replace*() functions; primary use case is for mbstring on Windows 7.4+
CubicleSoft PHP Software Development Libraries for Composer
统计信息
- 总下载量: 683.88M
- 月度下载量: 0
- 日度下载量: 0
- 收藏数: 8184
- 点击次数: 31
- 依赖项目数: 430
- 推荐数: 108
其他信息
- 授权协议: MIT
- 更新时间: 2015-07-07