PHP 5.x support for random_bytes() and random_int()

Overview

random_compat

Build Status Scrutinizer Latest Stable Version Latest Unstable Version License Downloads

PHP 5.x polyfill for random_bytes() and random_int() created and maintained by Paragon Initiative Enterprises.

Although this library should function in earlier versions of PHP, we will only consider issues relevant to supported PHP versions. If you are using an unsupported version of PHP, please upgrade as soon as possible.

Important

Although this library has been examined by some security experts in the PHP community, there will always be a chance that we overlooked something. Please ask your favorite trusted hackers to hammer it for implementation errors and bugs before even thinking about deploying it in production.

Do not use the master branch, use a stable release.

For the background of this library, please refer to our blog post on Generating Random Integers and Strings in PHP.

Usability Notice

If PHP cannot safely generate random data, this library will throw an Exception. It will never fall back to insecure random data. If this keeps happening, upgrade to a newer version of PHP immediately.

Installing

With Composer:

# For libraries and frameworks that support PHP 5 but may be used by
# other software that only supports PHP 7:
composer require paragonie/random_compat:\>=2

# For software that explicitly needs PHP 5 support:
composer require paragonie/random_compat:\<9.99

Signed PHP Archive:

As of version 1.2.0, we also ship an ECDSA-signed PHP Archive with each stable release on Github.

  1. Download the .phar, .phar.pubkey, and .phar.pubkey.asc files.
  2. (Recommended but not required) Verify the PGP signature of .phar.pubkey (contained within the .asc file) using the PGP public key for Paragon Initiative Enterprises.
  3. Extract both .phar and .phar.pubkey files to the same directory.
  4. require_once "/path/to/random_compat.phar";
  5. When a new version is released, you only need to replace the .phar file; the .pubkey will not change (unless our signing key is ever compromised).

Manual Installation:

  1. Download a stable release.
  2. Extract the files into your project.
  3. require_once "/path/to/random_compat/lib/random.php";

The entrypoint should be lib/random.php directly, not any of the other files in /lib.

Usage

This library exposes the CSPRNG functions added in PHP 7 for use in PHP 5 projects. Their behavior should be identical.

Generate a string of random bytes

try {
    $string = random_bytes(32);
} catch (TypeError $e) {
    // Well, it's an integer, so this IS unexpected.
    die("An unexpected error has occurred"); 
} catch (Error $e) {
    // This is also unexpected because 32 is a reasonable integer.
    die("An unexpected error has occurred");
} catch (Exception $e) {
    // If you get this message, the CSPRNG failed hard.
    die("Could not generate a random string. Is our OS secure?");
}

var_dump(bin2hex($string));
// string(64) "5787c41ae124b3b9363b7825104f8bc8cf27c4c3036573e5f0d4a91ad2eeac6f"

Generate a random integer between two given integers (inclusive)

try {
    $int = random_int(0, 255);
} catch (TypeError $e) {
    // Well, it's an integer, so this IS unexpected.
    die("An unexpected error has occurred"); 
} catch (Error $e) {
    // This is also unexpected because 0 and 255 are both reasonable integers.
    die("An unexpected error has occurred");
} catch (Exception $e) {
    // If you get this message, the CSPRNG failed hard.
    die("Could not generate a random int. Is our OS secure?");
}

var_dump($int);
// int(47)

Exception handling

When handling exceptions and errors you must account for differences between PHP 5 and PHP7.

The differences:

  • Catching Error works, so long as it is caught before Exception.
  • Catching Exception has different behavior, without previously catching Error.
  • There is no portable way to catch all errors/exceptions.

Our recommendation

Always catch Error before Exception.

Example

try {
    return random_int(1, $userInput);
} catch (TypeError $e) {
    // This is okay, so long as `Error` is caught before `Exception`.
    throw new Exception('Please enter a number!');
} catch (Error $e) {
    // This is required, if you do not need to do anything just rethrow.
    throw $e;
} catch (Exception $e) {
    // This is optional and maybe omitted if you do not want to handle errors
    // during generation.
    throw new InternalServerErrorException(
        'Oops, our server is bust and cannot generate any random data.',
        500,
        $e
    );
}

Troubleshooting

Exception: "Could not gather sufficient random data"

If an Exception is thrown, then your operating system is not secure.

  1. If you're on Windows, make sure you enable mcrypt.
  2. If you're on any other OS, make sure /dev/urandom is readable.
    • FreeBSD jails need to expose /dev/urandom from the host OS
    • If you use open_basedir, make sure /dev/urandom is allowed

This library does not (and will not accept any patches to) fall back to an insecure random number generator.

Version Conflict with [Other PHP Project]

If you're using a project that has a line like this in its composer.json

"require" {
    ...
    "paragonie/random_compat": "~1.1",
    ...
}

...and then you try to add random_compat 2 (or another library that explicitly requires random_compat 2, such as this secure PHP encryption library), you will get a version conflict.

The solution is to get the project to update its requirement string to allow version 2 and above to be used instead of hard-locking users to version 1.

"require" {
    ...
-    "paragonie/random_compat": "~1.1",
+    "paragonie/random_compat": ">=1",
    ...
}

Version 9.99.99

Note: There is a special version called 9.99.99 which makes this library do nothing, but is only installable on PHP 7.

If you're writing software (e.g. a library) that supports PHP 5, but may be used by software that doesn't, you'll want to allow 9.99.99 to be installed. The above diff is what you want.

Conversely, if you're writing software that (in and of itself) supports PHP 5, you do not want 9.99.99 to be installed, so you'll want to make this change instead:

"require" {
    ...
-    "paragonie/random_compat": "~1.1",
+    "paragonie/random_compat": ">=1 <9.99",
    ...
}

To avoid installing "empty" version 9.99.99 you can add replace section in your root composer.json:

"replace": {
    "paragonie/random_compat": "9.99.99"
},

Manifest Read Length Error

If you're using the PHP Archive (Phar) approach rather than Composer, and you are getting an error message to the effect of "manifest read length was {int1} should be {int2}", the Phar extension may not be enabled.

See this comment for specific guidance on how to fix this issue.

Contributors

This project would not be anywhere near as excellent as it is today if it weren't for the contributions of the following individuals:

Support Contracts

If your company uses this library in their products or services, you may be interested in purchasing a support contract from Paragon Initiative Enterprises.

Comments
  • Call for Review before 1.0.6 is tagged?

    Call for Review before 1.0.6 is tagged?

    Proposed for 1.0.6:

    • Add support for libsodium as an entropy source (suggested by @cweagans), if the extension is enabled (exposes getrandom(2) on modern Linux)
    • Relaxed open_basedir restrictions (suggested by @notr1ch) so, if /dev is listed in the open_basedir directive, it will still attempt to read from /dev/urandom
    • Allow random_bytes("3") without throwing an error

    These are the specific changes to be released: https://github.com/paragonie/random_compat/compare/1.0.5...master

    Afterwards, we can have a serious sober discussion about dropping OpenSSL and tagging 1.1.0.

    opened by paragonie-scott 74
  • openssl_random_pseudo_bytes() does not appear to cryptographically secure

    openssl_random_pseudo_bytes() does not appear to cryptographically secure

    Although the PHP docs claim that openssl_random_pseudo_bytes() returns a "cryptographically strong" result as long as the $crypto_strong parameter is true, I checked the source and that does not appear to be the case. The openssl_random_pseudo_bytes() PHP function calls the RAND_psuedo_bytes() OpenSSL function, which the OpenSSL docs say should only be used for non-cryptographic purposes:

    RAND_pseudo_bytes() has been deprecated. Users should use RAND_bytes() instead. RAND_pseudo_bytes() puts num pseudo-random bytes into buf. Pseudo-random byte sequences generated by RAND_pseudo_bytes() will be unique if they are of sufficient length, but are not necessarily unpredictable. They can be used for non-cryptographic purposes and for certain purposes in cryptographic protocols, but usually not for key generation etc.

    It's quite possible I'm missing something here. If so, I apologize for wasting your time.

    opened by MasonM 37
  •  no suitable CSPRNG 1.3.0

    no suitable CSPRNG 1.3.0

    i'm getting error when upgrade to 1.3.0 Error : There is no suitable CSPRNG installed on your system on random.php file my desktop ubuntu is PHP 7.0.4 and the Server PHP is 5.6 , i'm using random_compact in laravel 5.1 i can not fix it on Server so downgrade to 1.2.2 but on on my desktop everything is ok :)

    opened by menkaff 29
  • Call for review before v1.0.0 is tagged

    Call for review before v1.0.0 is tagged

    Once #7 can be safely closed (depends on two PRs on php-src), we should be 100% compatible with random_bytes() and random_int(). At such time, I intend to tag v1.0.0 as the first stable release.

    Three questions:

    1. Does anyone have any objections?
    2. Would anyone like to request a delay in order to accommodate an in-depth review first?
    3. How confident are you that the current implementation is reasonably secure?

    Thanks everyone for contributing to this effort to backport random_bytes() and random_int() for PHP 5 users, and thanks to everyone who worked on the CSPRNG for PHP 7.

    opened by paragonie-scott 28
  • What to do about OpenSSL?

    What to do about OpenSSL?

    I'm stuck between several possible avenues:

    • Release a new version (v1.3.0 or most likely v2.0.0) that doesn't rely on OpenSSL at all
    • Create an OpenSSL-free fork, called secure_random
    • Possibly in either case allow LibreSSL/BoringSSL but definitely not OpenSSL

    I'm interested in everyone's opinions here. The status quo is simply unacceptable.

    opened by paragonie-scott 25
  • Pure PHP PRNG?

    Pure PHP PRNG?

    Both Drupal and phpseclib try to get random bytes from a good source, and then if they can't, they fall back to a pure PHP PRNG.

    The Drupal implementation looks like this:

          // If we couldn't get enough entropy, this simple hash-based PRNG will
          // generate a good set of pseudo-random bytes on any system.
          // Note that it may be important that our $random_state is passed
          // through hash() prior to being rolled into $output, that the two hash()
          // invocations are different, and that the extra input into the first one -
          // the microtime() - is prepended rather than appended. This is to avoid
          // directly leaking $random_state via the $output stream, which could
          // allow for trivial prediction of further "random" numbers.
          if (strlen($bytes) < $count) {
            // Initialize on the first call. The contents of $_SERVER includes a mix
            // of user-specific and system information that varies a little with
            // each page.
            if (!isset($random_state)) {
              $random_state = print_r($_SERVER, TRUE);
              if (function_exists('getmypid')) {
                // Further initialize with the somewhat random PHP process ID.
                $random_state .= getmypid();
              }
              $bytes = '';
            }
    
            do {
              $random_state = hash('sha256', microtime() . mt_rand() . $random_state);
              $bytes .= hash('sha256', mt_rand() . $random_state, TRUE);
            } while (strlen($bytes) < $count);
    

    The phpseclib implementation is here: https://github.com/phpseclib/phpseclib/blob/master/phpseclib/Crypt/Random.php#L116-L241 (too long to paste directly on this issue, and has a lot of dependencies on other parts of phpseclib).

    My question is:

    1. Should random_compat provide a pure PHP PRNG for people that don't have any reasonable randomness sources?; and if so:
    2. Is there some existing implementation that would make sense to pull into random_compat
    opened by cweagans 23
  • com() has been disabled for security reasons

    com() has been disabled for security reasons

    After the release of 4.4, we received this report in the forums:

    https://wordpress.org/support/topic/issue-after-updating-to-44

    Warning: com() has been disabled for security reasons in D:...\wordpress\wp-includes\random_compat\random.php on line 94

    Looks like some servers disable this via the INI file. Maybe a check to prevent a warning here is in order.

    opened by Otto42 18
  • documentation on setup

    documentation on setup

    okay after trying out a lot I figured out how to install and use this. I wanted just the random_int so I tried that one which didnt go nice since there was stuff from the other files that was needed so it would be nice to write at least a single sentence about that you need to copy all the files from /lib into ine folder and include/require the random.php which will make it work.

    opened by My1 17
  • Is it really a compat package?

    Is it really a compat package?

    If this is indeed a compatibility package, it should behave exactly like PHP does (when possible of course). Therefore, it should check for (and give the highest priority to) /dev/arandom availability too.

    Yes, /dev/urandom will simply redirect to /dev/arandom on current systems that have it and I made the same point on internals, but I also got a somewhat reasonable response on that.

    On a side note, while I do agree that exceptions are better in this case, I'm quite sure that PHP itself currently returns FALSE (and emits an E_WARNING) in case that random_bytes() fails. You might want to work with them to change that while there's still time. :) Also ... I'd use InvalidArgumentException and RuntimeException instead of the base Exception class.

    opened by narfbg 17
  • Global namespace collision

    Global namespace collision "Error"

    As soon as I upgraded from ramsey/uuid 3.2 to 3.3 via composer, my servers started reporting the following PHP Fatal error:

    PHP Fatal error: Call to undefined method Error::GetXML() in [script name]

    Downgrading to 3.2, which also removes the prerequisite paragonie/random_compat v2.0.2, fixed the issue.

    Issue appears to be in paragonie/random_compat extending Exception with the global name Error.

     // We can't really avoid making this extend Exception in PHP 5.
    class Error extends Exception
    

    See: https://github.com/paragonie/random_compat/blob/master/lib/error_polyfill.php

    Cheers.

    opened by eparisca 16
  • mcrypt_create_iv hangs (possibly a PHP 5.6.10-12 bug)

    mcrypt_create_iv hangs (possibly a PHP 5.6.10-12 bug)

    If /dev/urandom is not readable, there is no point in trying to use mcrypt with the MCRYPT_DEV_URANDOM flag as a fallback. On my system the mcrypt extension actually hangs at 100% CPU forever.

    opened by philios33 16
  • "mbstring.func_overload" and "MB_OVERLOAD_STRING" removal from php8

    In preparartion for a php I noticed a problem

    In the file byte_safe_strings.php the if statement check no longer seems necessary and these constants are no longer are defined in php8

    opened by wesleyswordfish 1
  • Was 9.9.99 removed on purpose?

    Was 9.9.99 removed on purpose?

    Hi,

    Several packages (like https://github.com/nelmio/NelmioCorsBundle) have a hard dependency like this:

    "paragonie/random_compat": "~1.0|~2.0|9.99.99",
    

    They can't be installed anymore:

    $ composer require nelmio/security-bundle
    
    Using version ^2.10 for nelmio/security-bundle
    ./composer.json has been updated
    Loading composer repositories with package information
    Warning from https://repo.packagist.org: You are using an outdated version of Composer. Composer 2.0 is about to be released and the older 1.x releases will self-update directly to it once it is released. To avoid surprises update now to the latest 1.x version which will prompt you before self-updating to 2.x.
    Updating dependencies (including require-dev)
    Restricting packages listed in "symfony/symfony" to "^5.1"
    Your requirements could not be resolved to an installable set of packages.
    
      Problem 1
        - nelmio/security-bundle v2.10.0 requires paragonie/random_compat ~1.0|~2.0|9.99.99 -> satisfiable by paragonie/random_compat[1.0.10, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, v1.0.0, v1.0.1, v1.2.0, v1.2.1, v1.2.2, v1.2.3, v1.3.0, v1.3.1, v1.4.0, v1.4.1, v1.4.2, v1.4.3, v1.x-dev, v2.0.0, v2.0.1, v2.0.10, v2.0.11, v2.0.12, v2.0.13, v2.0.14, v2.0.15, v2.0.16, v2.0.17, v2.0.18, v2.0.19, v2.0.2, v2.0.3, v2.0.4, v2.0.5, v2.0.6, v2.0.7, v2.0.8, v2.0.9, v9.99.99].
        - nelmio/security-bundle v2.10.1 requires paragonie/random_compat ~1.0|~2.0|9.99.99 -> satisfiable by paragonie/random_compat[1.0.10, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, v1.0.0, v1.0.1, v1.2.0, v1.2.1, v1.2.2, v1.2.3, v1.3.0, v1.3.1, v1.4.0, v1.4.1, v1.4.2, v1.4.3, v1.x-dev, v2.0.0, v2.0.1, v2.0.10, v2.0.11, v2.0.12, v2.0.13, v2.0.14, v2.0.15, v2.0.16, v2.0.17, v2.0.18, v2.0.19, v2.0.2, v2.0.3, v2.0.4, v2.0.5, v2.0.6, v2.0.7, v2.0.8, v2.0.9, v9.99.99].
        - paragonie/random_compat 1.0.10 conflicts with __root__[No version set (parsed as 1.0.0)].
        - paragonie/random_compat 1.0.2 conflicts with __root__[No version set (parsed as 1.0.0)].
        - paragonie/random_compat 1.0.3 conflicts with __root__[No version set (parsed as 1.0.0)].
        - paragonie/random_compat 1.0.4 conflicts with __root__[No version set (parsed as 1.0.0)].
        - paragonie/random_compat 1.0.5 conflicts with __root__[No version set (parsed as 1.0.0)].
        - paragonie/random_compat 1.0.6 conflicts with __root__[No version set (parsed as 1.0.0)].
        - paragonie/random_compat 1.0.7 conflicts with __root__[No version set (parsed as 1.0.0)].
        - paragonie/random_compat 1.0.8 conflicts with __root__[No version set (parsed as 1.0.0)].
        - paragonie/random_compat 1.0.9 conflicts with __root__[No version set (parsed as 1.0.0)].
        - paragonie/random_compat 1.1.0 conflicts with __root__[No version set (parsed as 1.0.0)].
        - paragonie/random_compat 1.1.1 conflicts with __root__[No version set (parsed as 1.0.0)].
        - paragonie/random_compat 1.1.2 conflicts with __root__[No version set (parsed as 1.0.0)].
        - paragonie/random_compat 1.1.3 conflicts with __root__[No version set (parsed as 1.0.0)].
        - paragonie/random_compat 1.1.4 conflicts with __root__[No version set (parsed as 1.0.0)].
        - paragonie/random_compat 1.1.5 conflicts with __root__[No version set (parsed as 1.0.0)].
        - paragonie/random_compat 1.1.6 conflicts with __root__[No version set (parsed as 1.0.0)].
        - paragonie/random_compat v1.0.0 conflicts with __root__[No version set (parsed as 1.0.0)].
        - paragonie/random_compat v1.0.1 conflicts with __root__[No version set (parsed as 1.0.0)].
        - paragonie/random_compat v1.2.0 conflicts with __root__[No version set (parsed as 1.0.0)].
        - paragonie/random_compat v1.2.1 conflicts with __root__[No version set (parsed as 1.0.0)].
        - paragonie/random_compat v1.2.2 conflicts with __root__[No version set (parsed as 1.0.0)].
        - paragonie/random_compat v1.2.3 conflicts with __root__[No version set (parsed as 1.0.0)].
        - paragonie/random_compat v1.3.0 conflicts with __root__[No version set (parsed as 1.0.0)].
        - paragonie/random_compat v1.3.1 conflicts with __root__[No version set (parsed as 1.0.0)].
        - paragonie/random_compat v1.4.0 conflicts with __root__[No version set (parsed as 1.0.0)].
        - paragonie/random_compat v1.4.1 conflicts with __root__[No version set (parsed as 1.0.0)].
        - paragonie/random_compat v1.4.2 conflicts with __root__[No version set (parsed as 1.0.0)].
        - paragonie/random_compat v1.4.3 conflicts with __root__[No version set (parsed as 1.0.0)].
        - paragonie/random_compat v1.x-dev conflicts with __root__[No version set (parsed as 1.0.0)].
        - paragonie/random_compat v2.0.0 conflicts with __root__[No version set (parsed as 1.0.0)].
        - paragonie/random_compat v2.0.1 conflicts with __root__[No version set (parsed as 1.0.0)].
        - paragonie/random_compat v2.0.10 conflicts with __root__[No version set (parsed as 1.0.0)].
        - paragonie/random_compat v2.0.11 conflicts with __root__[No version set (parsed as 1.0.0)].
        - paragonie/random_compat v2.0.12 conflicts with __root__[No version set (parsed as 1.0.0)].
        - paragonie/random_compat v2.0.13 conflicts with __root__[No version set (parsed as 1.0.0)].
        - paragonie/random_compat v2.0.14 conflicts with __root__[No version set (parsed as 1.0.0)].
        - paragonie/random_compat v2.0.15 conflicts with __root__[No version set (parsed as 1.0.0)].
        - paragonie/random_compat v2.0.16 conflicts with __root__[No version set (parsed as 1.0.0)].
        - paragonie/random_compat v2.0.17 conflicts with __root__[No version set (parsed as 1.0.0)].
        - paragonie/random_compat v2.0.18 conflicts with __root__[No version set (parsed as 1.0.0)].
        - paragonie/random_compat v2.0.19 conflicts with __root__[No version set (parsed as 1.0.0)].
        - paragonie/random_compat v2.0.2 conflicts with __root__[No version set (parsed as 1.0.0)].
        - paragonie/random_compat v2.0.3 conflicts with __root__[No version set (parsed as 1.0.0)].
        - paragonie/random_compat v2.0.4 conflicts with __root__[No version set (parsed as 1.0.0)].
        - paragonie/random_compat v2.0.5 conflicts with __root__[No version set (parsed as 1.0.0)].
        - paragonie/random_compat v2.0.6 conflicts with __root__[No version set (parsed as 1.0.0)].
        - paragonie/random_compat v2.0.7 conflicts with __root__[No version set (parsed as 1.0.0)].
        - paragonie/random_compat v2.0.8 conflicts with __root__[No version set (parsed as 1.0.0)].
        - paragonie/random_compat v2.0.9 conflicts with __root__[No version set (parsed as 1.0.0)].
        - paragonie/random_compat v9.99.99 conflicts with __root__[No version set (parsed as 1.0.0)].
        - Installation request for __root__ No version set (parsed as 1.0.0) -> satisfiable by __root__[No version set (parsed as 1.0.0)].
        - Installation request for nelmio/security-bundle ^2.10 -> satisfiable by nelmio/security-bundle[v2.10.0, v2.10.1].
    
    
    Installation failed, reverting ./composer.json to its original content.
    
    opened by bobdenotter 7
  • PHP 5.6 EOL

    PHP 5.6 EOL

    Hello,

    Since PHP 5.* is now EOL across the board, should this package be marked as abandoned or some message be added to the top of the readme to tell users its no longer needed or supported?

    As your Readme says, you're only responding to new issues regarding supported PHP versions, however this package doesn't provide anything for PHP 7.1+?

    opened by Jamesking56 4
  • PHPCompatibility ruleset for random_compat

    PHPCompatibility ruleset for random_compat

    Hi all,

    This is just a "service message".

    For those people who use this library and use PHPCompatibility in their CI process, there is now a custom ruleset available which can be used to prevent false positives being thrown by PHPCompatibility for the native PHP functionality being polyfilled by this repo.

    You can find the repo for the PHPCompatibilityParagonieRandomCompat ruleset here on Github as well as on Packagist.

    • https://github.com/PHPCompatibility/PHPCompatibilityParagonie
    • https://packagist.org/packages/phpcompatibility/phpcompatibility-paragonie

    Hope someone will find it useful :smile:

    P.S.: If anyone is interested in helping us to maintain the ruleset, please open an issue in the repo.

    opened by jrfnl 0
  • Attention: Version 9.99.99 is not an error, read the README

    Attention: Version 9.99.99 is not an error, read the README

    Just to save everyone some time:

    Seriosuly

    This is not a mistake. This is not weird. This is not being removed.

    What's going on?

    See https://github.com/paragonie/random_compat#version-99999

    I put it in the README to save everyone time. I suppose an open issue will be more visible.

    opened by paragonie-scott 0
Releases(v2.0.21)
Owner
Paragon Initiative Enterprises
Technology should support your ambitions, not hinder them. We are a team of technology consultants that specialize in application security.
Paragon Initiative Enterprises
Automatic Encrypt and Decrypt your database data. Tested and used on Laravel 8

Laravel Encrypt Database Automatic Encrypt and Decrypt your database data. Tested and used on Laravel 8. I'm yet building the tests. Important Note th

Wellington Barbosa 2 Dec 15, 2021
Laravel Security was created by, and is maintained by Graham Campbell, and is a voku/anti-xss wrapper for Laravel, using graham-campbell/security-core

Laravel Security Laravel Security was created by, and is maintained by Graham Campbell, and is a voku/anti-xss wrapper for Laravel, using graham-campb

Graham Campbell 170 Nov 20, 2022
A cryptography API wrapping the Sodium library, providing a simple object interface for symmetrical and asymmetrical encryption, decryption, digital signing and message authentication.

PHP Encryption A cryptography API wrapping the Sodium library, providing a simple object interface for symmetrical and asymmetrical encryption, decryp

null 19 Dec 31, 2022
TCrypto is a simple and flexible PHP 5.3+ in-memory key-value storage library

About TCrypto is a simple and flexible PHP 5.3+ in-memory key-value storage library. By default, a cookie will be used as a storage backend. TCrypto h

timoh 57 Dec 2, 2022
Ransomware with automatic Coinbase Commerce integration created in C# (Console) and PHP

AWare — C# Ransomware Ransomware with automatic Coinbase Commerce integration created in C# (Console) and PHP PD: AWare is just a proof of concept, wi

in the space 26 Sep 16, 2022
A simple php (lumen) app for sharing sensitive text (basically like onetimesecret), but with full end-to-end AES-256-GCM encryption so even the server has no access to the data, and developed with very simple deployment in mind.

A simple php (lumen) app for sharing sensitive text (basically like onetimesecret), but with full end-to-end AES-256-GCM encryption so even the server has no access to the data, and developed with very simple deployment in mind.

Alan Woo 51 Nov 21, 2022
A (unofficial) WordPress plugin reporting PHP and JavaScript errors to Sentry.

A (unofficial) WordPress plugin to report PHP and JavaScript errors to Sentry.

Alex Bouma 239 Dec 14, 2022
A simple PHP web backdoor allows you to retrieve directory/file contents and upload file(s) from the local machine or remote URL.

Simple PHP Web Backdoor A simple PHP web backdoor allows you to retrieve directory/file contents and upload file(s) from the local machine or remote U

Aqhmal Hafizi 15 Oct 7, 2022
Antware NinjaCrypter is an experimental username and password cookie string class for PHP

Antware NinjaCrypter is an experimental username and password cookie string class for PHP. For study case this crypter is based on password crypting ideology but can also encrypt username and password for storing cookie string that way your login details will not be exposed by hackers that search through cookie string.

Chukwu Remijius 1 Nov 25, 2021
JSON Object Signing and Encryption library for PHP.

NAMSHI | JOSE Deprecation notice Hi there, as much as we'd like to be able to work on all of the OSS in the world, we don't actively use this library

Namshi 1.7k Dec 22, 2022
phpcs-security-audit is a set of PHP_CodeSniffer rules that finds vulnerabilities and weaknesses related to security in PHP code

phpcs-security-audit is a set of PHP_CodeSniffer rules that finds vulnerabilities and weaknesses related to security in PHP code.

Floe design + technologies 654 Dec 28, 2022
A PHP utility for managing secrets in the cloud using AWS KMS and DynamoDB

CredStash for PHP This is a PHP port of original CredStash (written in python). Encryption and DynamoDB storage are compatible with python version so

Global Media Outreach 21 Nov 15, 2022
AES 128 bit Encryption and Decryption algorithm excuted purely on PHP with no external libraries.

AES128 Executed with PHP Advanced Encryption Standard (AES) is a specification for the encryption of electronic data established by the U.S National I

Ahmed Mohamed Mostafa 2 Aug 8, 2022
HTML sanitizer, written in PHP, aiming to provide XSS-safe markup based on explicitly allowed tags, attributes and values.

TYPO3 HTML Sanitizer ℹ️ Common safe HTML tags & attributes as given in \TYPO3\HtmlSanitizer\Builder\CommonBuilder still might be adjusted, extended or

TYPO3 GitHub Department 18 Jul 18, 2022
php-chmod is a PHP library for easily changing permissions recursively.

PHP chmod php-chmod is a PHP library for easily changing the permissions recursively. Versions & Dependencies Version PHP Documentation ^1.1 ^7.4 curr

Mathias Reker ⚡️ 5 Oct 7, 2022
Easy to use cryptographic framework for data protection: secure messaging with forward secrecy and secure data storage. Has unified APIs across 14 platforms.

Themis provides strong, usable cryptography for busy people General purpose cryptographic library for storage and messaging for iOS (Swift, Obj-C), An

Cossack Labs 1.6k Jan 6, 2023
A library for generating random numbers and strings

RandomLib A library for generating random numbers and strings of various strengths. This library is useful in security contexts. Install Via Composer

Anthony Ferrara 832 Nov 24, 2022
Fast, general Elliptic Curve Cryptography library. Supports curves used in Bitcoin, Ethereum and other cryptocurrencies (secp256k1, ed25519, ..)

Fast Elliptic Curve Cryptography in PHP Information This library is a PHP port of elliptic, a great JavaScript ECC library. Supported curve types: Sho

Simplito 178 Dec 28, 2022
A multitool library offering access to recommended security related libraries, standardised implementations of security defences, and secure implementations of commonly performed tasks.

SecurityMultiTool A multitool library offering access to recommended security related libraries, standardised implementations of security defences, an

Pádraic Brady 131 Oct 30, 2022