feature #5472 Added a tip about hashing the result of nextBytes() (ja…

…viereguiluz) This PR was merged into the 2.3 branch. Discussion ---------- Added a tip about hashing the result of nextBytes() | Q | A | ------------- | --- | Doc fix? | no | New docs? | yes | Applies to | all | Fixed tickets | #4328 Commits ------- 1a4b5fa Reword 64460d5 Added a tip about hashing the result of nextBytes()
symfony · Jul 16, 2015 · c520e77 · c520e77
2 parents f7ccb0c + 1a4b5fa
commit c520e77
Showing 1 changed file with 10 additions and 2 deletions.
diff --git a/components/security/secure_tools.rst b/components/security/secure_tools.rst
@@ -54,7 +54,15 @@ to work correctly. Just pass a file name to enable it::
 
 .. note::
 
-    If you're using the Symfony Framework, you can access a secure random
-    instance directly from the container: its name is ``security.secure_random``.
+    If you're using the Symfony Framework, you can get a secure random number
+    generator via the ``security.secure_random`` service.
+
+.. tip::
+
+    The ``nextBytes()`` method returns a binary string which may contain the
+    ``\0`` character. This can cause troubles in lots of common scenarios, such
+    as storing this value in a database or including it as part of the URL. The
+    solution is to hash the value returned by ``nextBytes()`` (to do that, you
+    can use a simple ``md5()`` PHP function).
 
 .. _`Timing attack`: http://en.wikipedia.org/wiki/Timing_attack