strshuffle php 漏洞,str_shuffle()

str_shuffle()

(PHP 4 >= 4.3.0, PHP 5, PHP 7)

随机打乱一个字符串

说明str_shuffle(string$str) :string

str_shuffle()函数打乱一个字符串，使用任何一种可能的排序方案。Caution

本函数并不会生成安全加密的值，不应用于加密用途。若需要安全加密的值，考虑使用openssl_random_pseudo_bytes()。

参数$str输入字符串。

返回值

返回打乱后的字符串。

更新日志版本说明7.1.0内置的随机算法从 libc rand 函数改成了»梅森旋转演伪随机数发生算法。

范例

Example #1str_shuffle()范例<?php

$str = 'abcdef';

$shuffled = str_shuffle($str);

// 输出类似于: bfdaec

echo $shuffled;

?>

参见Aoccdrnig to rseearch at an Elingsh uinervtisy, it deosn't mttaer in waht oredr the ltteers in a wrod are, the olny iprmoatnt tihng is that the frist and lsat ltteer is at the rghit pclae. The rset can be a toatl mses and you can sitll raed it wouthit a porbelm. Tihs is bcuseae we do not raed ervey lteter by it slef but the wrod as a wlohe.

Hree's a cdoe taht slerbmcas txet in tihs way:

function scramble_word($word) {

if (strlen($word) < 2)

return $word;

else

return $word{0} . str_shuffle(substr($word, 1, -1)) . $word{strlen($word) - 1};

}

echo preg_replace('/(w+)/e', 'scramble_word("1")', 'A quick brown fox jumped over the lazy dog.');

?>

It may be ufseul if you wnat to cetare an aessblicce CTCPAHA.This function is affected by srand():

srand(12345);

echo str_shuffle('Randomize me') . '
'; // "demmiezr aon"

echo str_shuffle('Randomize me') . '
'; // "izadmeo rmen"

srand(12345);

echo str_shuffle('Randomize me') . '
'; // "demmiezr aon" again

?>A proper unicode string shuffle;

function str_shuffle_unicode($str) {

$tmp = preg_split("//u", $str, -1, PREG_SPLIT_NO_EMPTY);

shuffle($tmp);

return join("", $tmp);

}

?>

$str = "Şeker yârim"; // My sweet love

echo str_shuffle($str); // ieymrŢekr

echo str_shuffle_unicode($str); // Şr mreyeikâThis page is missing a very important notice:

Caution

This function does not generate cryptographically secure values, and should not be used for cryptographic purposes. If you need a cryptographically secure value, consider using random_int(), random_bytes(), or openssl_random_pseudo_bytes() instead.Shuffle for all encoding formats

function unicode_shuffle($string, $chars, $format = 'UTF-8')

{

for($i=0; $i

$rands[$i] = rand(0, mb_strlen($string, $format));

$s = NULL;

foreach($rands as $r)

$s.= mb_substr($string, $r, 1, $format);

return $s;

}

?>/**

* Test shuffleString

*/

function testShuffleString() {

$shuffled = shuffleString("ĄęźćÓ");

if (mb_strlen($shuffled) != 5) {

throw new UnexpectedValueException("Invalid count of characters");

}

if ($shuffled == "ĄęźćÓ") {

throw new UnexpectedValueException("The same string");

}

foreach (["Ą", "ę", "ź", "ć", "Ó"] as $char) {

if (mb_strpos($shuffled, $char) === false) {

throw new UnexpectedValueException("Character not found");

}

}

}

/**

* Shuffle string

*

* @param $stringValue String to shuffle

* @param string $startWith Shuffle $stringValue and append to $startWith

* @return string Shuffled string

* @author Krzysztof Piasecki

*/

function shuffleString($stringValue, $startWith = "") {

$range = range(0, mb_strlen($stringValue));

shuffle($range);

foreach($range as $index) {

$startWith .= mb_substr($stringValue, $index, 1);

}

return $startWith;

};

testShuffleString();

echo shuffleString("Hello"); // > 'elHol' (something like this)

echo shuffleString("World!", "Hello "); // > 'Hello do!lrW' (something like this)As noted in this documentation str_shuffle is NOT cryptographically secure, however I have seen many code examples online of people using nothing more than this to generate say random passwords. So I though I'd share my function which while it makes use of str_shuffle also rely's on random_int() for added security. I use this function to generate salts to use when working with hashes but it can also be used to generate default passwords for new users for example.

It starts with a universe of possible characters, in this case all letters (upper and lower case), 0-9, and several special characters.

It then will run str_shuffle on the universe of characters a random number of times, using random_int() (currently set to 1-10)

Then once the universe of possible characters has been shuffled it using random_int() once more to select the character as a random position within the shuffled string, as does that once for each character you want in the output.

function secret_gen( $len=64 ) {

$secret = "";

$charset = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_-+=`~,<>.[]: | ';

for ( $x = 1l $x <= random_int( 1, 10 ), $x++ ){

$charset = str_shuffle( $charset );

}

for ( $s = 1; $s <= $len; $s++ ) {

$secret .= substr( $charset, random_int( 0, 86 ), 1 );

}

return $secret;

}str_shuffle isn't recommendable for passwords. Each character exists only one time).

A function like the following one is better for this.

function generatePassword($length = 8) {

$possibleChars = "abcdefghijklmnopqrstuvwxyz";

$password = '';

for($i = 0; $i < $length; $i++) {

$rand = rand(0, strlen($possibleChars) - 1);

$password .= substr($possibleChars, $rand, 1);

}

return $password;

}

?>To cobine functionality and simplicity of the two functions below we can have:

function generatePasswd($numAlpha=6,$numNonAlpha=2)

{

$listAlpha = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';

$listNonAlpha = ',;:!?.$/*-+&@_+;./*&?$-!,';

return str_shuffle(

substr(str_shuffle($listAlpha),0,$numAlpha) .

substr(str_shuffle($listNonAlpha),0,$numNonAlpha)

);

}

?>Very, very simple random password generator, without using rand() function:

function random_password($chars = 8) {

$letters = 'abcefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890';

return substr(str_shuffle($letters), 0, $chars);

}

?>Shortend function for PHP < 4.3

function RandomPass($numchar)

{

$word = "a,b,c,d,e,f,g,h,i,j,k,l,m,1,2,3,4,5,6,7,8,9,0";

$array=explode(",",$word);

shuffle($array);

$newstring = implode($array,"");

return substr($newstring, 0, $numchar);

}

?>