1.2.1010. Random Without Try¶
random_int() and random_bytes() require a try/catch structure around them.
random_int() and random_bytes() emit Exceptions if they meet a problem. This way, failure can’t be mistaken with returning an empty value, which leads to lower security. Since PHP 7.4, openssl_random_pseudo_bytes() has adopted the same behavior. It is included in this analysis : check your PHP version for actual application.
<?php
try {
$salt = random_bytes($length);
} catch (TypeError $e) {
// Error while reading the provided parameter
} catch (Exception $e) {
// Insufficient random data generated
} catch (Error $e) {
// Error with the provided parameter : <= 0
}
?>
1.2.1010.1. Suggestions¶
Add a try/catch structure around calls to random_int() and random_bytes().
1.2.1010.2. Specs¶
Short name |
Structures/RandomWithoutTry |
Rulesets |
|
Exakat since |
0.8.4 |
PHP Version |
With PHP 7.0 and more recent |
Severity |
Critical |
Time To Fix |
Quick (30 mins) |
Precision |
Very high |
Features |
random |
Available in |