minor #9838 Don't recommend base64 encoding of random_bytes result (javiereguiluz)

javiereguiluz · javiereguiluz · commit b46bce150d38 · 2018-05-29T08:44:54.000+02:00
This PR was merged into the 2.8 branch. Discussion ---------- Don't recommend base64 encoding of random_bytes result This fixes #9348. base64 is not safe for URLs, so let's recommend hashing the values. Commits ------- 18cd815 Don't recommend base64 encoding of random_bytes result
diff --git a/components/security/secure_tools.rst b/components/security/secure_tools.rst
@@ -41,9 +41,8 @@ the number bytes passed as an argument (10 in the above example).
     The ``random_bytes()`` function returns a binary string which may contain
     the ``\0`` character. This can cause trouble in several common scenarios,
     such as storing this value in a database or including it as part of the
-    URL. The solution is to encode or hash the value returned by
-    ``random_bytes()`` (to do that, you can use a simple ``base64_encode()``
-    PHP function).
+    URL. The solution is to hash the value returned by ``random_bytes()`` with
+    a hashing function such as :phpfunction:`md5` or :phpfunction:`sha1`.
 
 Generating a Secure Random Number
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
