Generate Random Alphanumeric Strings in PHP

Let me begin this post by saying that almost no event is truly random. Even the outcome of a classic coin toss could in theory be predicted if we knew the effect of every factor involved, like air friction, gravity, and initial force.

The same thing is applicable to the generation of random numbers and alphanumeric strings. The best we can hope for is to generate numbers and strings that don’t seem to follow a pattern and can’t be practically predicted by an attacker. 

In this tutorial, we will cover different techniques for generating random numbers and alphanumeric strings in PHP. Some of them will be cryptographically secure, while others are meant only for casual use, like assigning pseudo-random file names or creating URLs and suggesting usernames.

Generating Random Numbers in PHP

There are three different functions for generating random numbers in PHP. All of them will accept a minimum and maximum possible value for the random numbers and output a random number for you. These are rand($min, $max), mt_rand($min, $max), and random_int($min, $max).

With rand(), the minimum and maximum values of integers you can generate lie between 0 and the value returned by getrandmax(). Before PHP 7.1.0, this function was about four times slower than mt_rand(). However, starting from PHP 7.1.0, it has been made an alias of mt_rand(). Unlike mt_rand(), though, you can set the value of $max to be lower than $min without causing an error.

With mt_rand(), the minimum and maximum values of integers you can generate lie between 0 and the value returned by mt_getrandmax(). It relies on an implementation of the Mersenne Twister to generate random numbers. Watch out, though—prior to PHP 7.1.0, this function implemented an incorrect version of the algorithm to generate the numbers. However, it has been fixed in newer versions.

The function became even better in PHP 7.2.0 by getting rid of a modulo bias bug. This means that for some particular seeds, your sequence of random numbers will now be slightly better compared to older versions. Some specialized code might actually rely on this bias, though. If so, you can use the older seed algorithm by calling the mt_srand() function to seed the random number generator and passing MT_RAND_PHP as the value of the second parameter.

The mt_rand() function has a period of 219937−1, which basically means that in best case scenarios you get as many as 219937−1 random numbers before the sequence starts repeating. You should note that repetition of a sequence is not the same as repetition of a particular number. In other words, you might get the same random number twice, but that does not mean that the sequence itself has started repeating. The following sequence is an example:

In the above sequence, we had 1267 twice in the output, but that does not mean that the whole sequence started repeating after that. It’s unlikely to get the same number repeated so soon in a random sequence, but it is possible!

Cryptographically Secure Random Integers

If you want cryptographically secure pseudo-random numbers, the random_int() function in PHP is your best bet. It will generate random numbers between the provided $min and $max values, which default to PHP_INT_MIN and PHP_INT_MAX. Unfortunately, this function is only available starting from PHP 7.0. For versions before that, you can use this polyfill on GitHub.

Random Floats

Instead of generating random integers, you might also want to generate floats. This can be done effortlessly by simply dividing a random number with a value returned by mt_getrandmax(). The following example will illustrate how to generate a random float between 0 and 1 or between any other minimum and maximum limits.

When generating a random float between given limits, we make sure that the random integer numbers do not go above $max - 1. This way, we can be sure that adding the float part will not take the number above the maximum limit.

Seeding the Random Number Generators

One concept that needs a little bit of explanation is seeds. Put simply, these are just numbers that can be used to initialize the rand() and mt_rand() functions before generating any random numbers. The function which seeds rand() is called srand($seed), and the function which seeds mt_rand() is called mt_srand($seed, $mode).

It’s important to remember that providing an initial seed value every single time before calling rand() and mt_rand() won’t necessarily produce better random numbers. In fact, using the same seed each time will give you the same random number as well!

Seeding a random number is useful in situations where you want to generate a random but reproducible sequence. The following code snippet generates the same sequence of random numbers when run twice.

Powered by WPeMatico

Leave a Comment

Scroll to Top