Home Blog Generate a Random String With PHP

Generate a Random String With PHP


The large number of string, random, and hashing functions make it easy to generate a random string with PHP. This article, partially migrated from Internoetics, will look at just a couple ways of achieving a random string from a pool of characters, with of a defined length. Generally speaking, increasing the length of a string and character count makes the string (or password) more secure.


The first example takes a user-defined string of permitted characters and randomly selects one character at a time, concatenating each character in a loop. The function first uses mt_rand() to return a random character anchor point in our string. We then use substr() to return our random $character from the generated string.


The second function comes to us by way of the WordPress wp_generate_password() function. We’ve simply changed the name of the function and removed the password filter. If you’re using WordPress and require a unique string, the wp_generate_password() function is almost certainly the easiest option. With the special_chars arguments as false, it selects characters from the same string as the first example. While WP uses wp_rand(), we’ve altered it to use mt_rand().

Other than using wp_rand() instead of mt_rand(), the functions are similar in the way in which they effectively truncate a string before concatenating the last character. WordPress adds the option of $special_chars and $extra_special_chars via Boolean arguments to the mix – effectively increasing complexity and security.

The Code Explained

The first two functions use the same means of concatenating a new character: substr($chars, mt_rand(0, strlen($chars) - 1), 1);, so it’s worth looking at how it works.

PHP’s mt_rand() function will generate a random value via the Mersenne Twister Random Number Generator . It accepts two argumens: $min and $max (the latter defaulting to the platform dependent mt_getrandmax() value if not defined). We select a random value between 0 and the length of the string (strlen($chars)). We subtract 1 because we want to be able to return the last character in our string if the next function to perform its magic, substr(), returns its position. substr() considers the first value in our permitted character string (in our case, “a“) as the 0th position.

The substr() function returns part of a string specified by the start and length parameters (the length accepting a start and end position). To see how it might actually apply, and assuming mt_rand() returned a value of 9, our function would like like this: substr($chars, 9, 1);. Starting from 0, the 9th character in our string is j (we’ll only return 1 character as per our third argument).

The function then loops over the string and returns a single character on each occasion until it reaches the required $length.

Example Output

Only because we did the same thing on Internoetics, here’s an example random string. Each page refresh will generate a new string.


If you’re interested, this is shortcode.

We’ve used [randomstring length="15"] to return the string. WordPress does something similar when recommending a password on account generation.


  • There are any number of ways of producing secure strings. Read up on stackoverflow for a large number of alternatives. Many make use of inbuilt PHP7 functions. Some other examples refer to external libraries designed with more secure cryptography in mind.
  • Additional characters can be added to our first $allowed character array.


Title: Generate a Random String With PHP
Description: Generate a Random String With PHP. Includes the sample WP shortcode function.
Download: Shortcode (V0.2) | PHP Code (V0.2) | Plugin Page

Shortt URL for this post: http://shor.tt/17L4


Please enter your comment!
Please enter your name here