Home/ Questions/Q 8951849
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-15T13:45:14+00:00

I am currently working on a project which requires closed loop email verification. As

  • 0

I am currently working on a project which requires closed loop email verification. As part of the process I need to generate a random hash string which can be appended to a link sent to the user. When they click the link they will be directed to my site at which time the app will confirm the hash and complete the registration process. For all my hashing I have been using:

hash('sha256', $string);

But for this process, I need to seed $string with a random value. I have Zend Framework available and was looking to do something like this:

$crypt = new Zend_Filter_Encrypt_Mcrypt(array());

$hash = hash('sha256', $crypt->getVector());

My question is, is this a viable algorithm for generating random hash codes?

Here is the Zend_Filter_Encrypt_Mcrypt::setVector() method (generates the value returned via getVector():

public function setVector($vector = null)
{
    $cipher = $this->_openCipher();
    $size   = mcrypt_enc_get_iv_size($cipher);
    if (empty($vector)) {
        $this->_srand();
        if (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN' && version_compare(PHP_VERSION, '5.3.0', '<')) {
            $method = MCRYPT_RAND;
        } else {
            if (file_exists('/dev/urandom') || (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN')) {
                $method = MCRYPT_DEV_URANDOM;
            } elseif (file_exists('/dev/random')) {
                $method = MCRYPT_DEV_RANDOM;
            } else {
                $method = MCRYPT_RAND;
            }
        }
        $vector = mcrypt_create_iv($size, $method);
    } else if (strlen($vector) != $size) {
        require_once 'Zend/Filter/Exception.php';
        throw new Zend_Filter_Exception('The given vector has a wrong size for the set algorithm');
    }

    $this->_encryption['vector'] = $vector;
    $this->_closeCipher($cipher);

    return $this;
}
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I’m not very familiar with ZF, but something that has the word Encrypt in it just sounds like the wrong approach.

    The ->getVector() sounds similar to what the Initialization Vector does in symmetric encryption; the problem is that such a vector doesn’t need to be cryptographically safe, just random. For instance, it may well be just implemented as uniqid(mt_rand()) or something.

    ->getVector() uses mcrypt to first initialize the encryption cipher to know how big the IV should be; this is typically 8 bytes, but it largely depends on the block size of the used cipher. The thing is, you’re not encrypting anything; you just want a random sequence.

    The better way to get a random sequence is by using openssl_random_pseudo_bytes() with a size of 8 bytes.

    In its absence, you could also read from an entropy file such as /dev/random or /dev/urandom. Afterwards you can run it through binh2hex() to generate a hexadecimal string.

    Something like this is pretty rudimentary but should work on Linux’y systems:

    $rnd = bin2hex(file_get_contents('/dev/urandom', false, null, 0, 8));

    As a fallback for Windows, you can still use something like:

    $rnd = hash('sha256', uniqid(mt_rand(), true));
    • 0