Reputation: 95
/dev/urandom error (permission denied by webhost)
I am using function:
private function random($len) {
if (@is_readable('/dev/urandom')) {
$f=fopen('/dev/urandom', 'r');
$urandom=fread($f, $len);
fclose($f);
}
$return='';
for ($i=0;$i<$len;++$i) {
if (!isset($urandom)) {
if ($i%2==0) mt_srand(time()%2147 * 1000000 + (double)microtime() * 1000000);
$rand=48+mt_rand()%64;
} else $rand=48+ord($urandom[$i])%64;
if ($rand>57)
$rand+=7;
if ($rand>90)
$rand+=6;
if ($rand==123) $rand=52;
if ($rand==124) $rand=53;
$return.=chr($rand);
}
return $return;
}
I have some forms which trigger this function and I get the error:
int(2) string(200) "is_readable(): open_basedir restriction in effect. File(/dev/urandom) is not within the allowed path(s):
Is there a way to replace this function and not to use /dev/urandom ?
Thank you very much.
Upvotes: 3
Views: 836
Answers (2)
Reputation: 4904
If your host doesn't support random_int() you can use a function which I made for myself.
function generateRandomString($length, $secureRand = false, $chars="0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ") {
if (!function_exists("random_int") && $secureRand) {
function random_int($min, $max) {
$range = $max - $min;
if ($range <= 0) return $min;
$log = ceil(log($range, 2));
$bytes = (int)($log / 8) + 1;
$filter = (int)(1 << ((int)($log + 1))) - 1;
do {
$rnd = hexdec(bin2hex(openssl_random_pseudo_bytes($bytes, $s)));
if (!$s) continue;
$rnd = $rnd & $filter;
} while ($rnd > $range);
return $min + $rnd;
}
}
$charsCount = strlen($chars) - 1;
$output = "";
for ($i=1; $i <= $length; $i++) {
if ($secureRand)
$output .= $chars[random_int(0, $charsCount)];
else
$output .= $chars[mt_rand(0, $charsCount)];
}
return $output;
}
If you need a secure random string (e.g. random passwords):
generateRandomString(8, true);
this will give you a 8 lenght string.
Upvotes: 0
Reputation: 34123
From the (previously accepted) answer:
Instead of urandom you can use "rand":
Nooooooooo!
Dealing with open_basedir is one of the things we handle gracefully in random_compat. Seriously consider importing that library then just using random_bytes() instead of reading from /dev/urandom.
Whatever you do, DON'T USE rand(). Even if you believe there's a use case for it, the security trade-offs are a lie.
Also, if you need a function to generate a random string (depends on PHP 7 or random_compat):
/**
* Note: See https://paragonie.com/b/JvICXzh_jhLyt4y3 for an alternative implementation
*/
function random_string($length = 26, $alphabet = 'abcdefghijklmnopqrstuvwxyz234567')
{
if ($length < 1) {
throw new InvalidArgumentException('Length must be a positive integer');
}
$str = '';
$alphamax = strlen($alphabet) - 1;
if ($alphamax < 1) {
throw new InvalidArgumentException('Invalid alphabet');
}
for ($i = 0; $i < $length; ++$i) {
$str .= $alphabet[random_int(0, $alphamax)];
}
return $str;
}
Demo code: https://3v4l.org/DOjNE
Upvotes: 9
Related Questions
- generating a random code in php?
- PHP SourceCode Random
- defuse php - Your system does not have a secure random number generator
- Convert random values from /dev/urandom
- How to use /dev/urandom with PHP to get CS random numbers
- Mixing other sources of random numbers with ones generated by /dev/urandom
- Best way to let PHP access /dev/random?
- PHP / Apache sh error permission denied on every request
- Simple random generator script not working
- Reading /dev/urandom and generating a random integer