The large number of string, random, and hashing functions make it easy to generate a random string with PHP. This article, partially migrated from Internoetics, will look at just a couple ways of achieving a random string from a pool of characters, with of a defined length. Generally speaking, increasing the length of a string and character count makes the string (or password) more secure.
The first example takes a user-defined string of permitted characters and randomly selects one character at a time, concatenating each character in a loop. The function first uses mt_rand() to return a random character anchor point in our string. We then use substr() to return our random
$character from the generated string.
The second function comes to us by way of the WordPress wp_generate_password() function. We've simply changed the name of the function and removed the password filter. If you're using WordPress and require a unique string, the
wp_generate_password() function is almost certainly the easiest option. With the
special_chars arguments as false, it selects characters from the same string as the first example. While WP uses
wp_rand(), we've altered it to use
Other than using
wp_rand() instead of
mt_rand(), the functions are similar in the way in which they effectively truncate a string before concatenating the last character. WordPress adds the option of
$extra_special_chars via Boolean arguments to the mix - effectively increasing complexity and security.
The Code Explained
The first two functions use the same means of concatenating a new character:
substr($chars, mt_rand(0, strlen($chars) - 1), 1);, so it's worth looking at how it works.
mt_rand() function will generate a random value via the Mersenne Twister Random Number Generator . It accepts two argumens:
$max (the latter defaulting to the platform dependent
mt_getrandmax() value if not defined). We select a random value between 0 and the length of the string (
strlen($chars)). We subtract
1 because we want to be able to return the last character in our string if the next function to perform its magic,
substr(), returns its position.
substr() considers the first value in our permitted character string (in our case, "
a") as the 0th position.
The substr() function returns part of a string specified by the
length parameters (the length accepting a start and end position). To see how it might actually apply, and assuming mt_rand() returned a value of 9, our function would like like this:
substr($chars, 9, 1);. Starting from 0, the 9th character in our string is
j (we'll only return 1 character as per our third argument).
The function then loops over the string and returns a single character on each occasion until it reaches the required
Only because we did the same thing on Internoetics, here's an example random string. Each page refresh will generate a new string.
If you're interested, this is shortcode.
[randomstring length="15"] to return the string. WordPress does something similar when recommending a password on account generation.
- There are any number of ways of producing secure strings. Read up on stackoverflow for a large number of alternatives. Many make use of inbuilt PHP7 functions. Some other examples refer to external libraries designed with more secure cryptography in mind.
- Additional characters can be added to our first