## Why does PHP’s strtotime() not understand a Unix timestamp? Or: Why don’t programming languages support “versions” of themselves? [closed]

Yes, I know that `strtotime` returns a Unix timestamp from a "time string". However, there are numerous situations where I’ve fed a semi-unknown "time string" into it and been baffled when I got a `bool(false)` returned instead of it just returning the same integer back:

``$$current_timestamp = time(); var_dump(strtotime($$current_timestamp)); ``

Output:

``bool(false) ``

I have long since made a wrapper function to `strtotime`, as I have done with every single PHP function I use, which handles this for it, so it’s not a practical problem for me anymore. However, it’s very interesting to me how this kind of situation can happen.

Why do such smart people (no, this is not sarcasm), who are able to create a highly advanced and complex programming language, which I could never do myself even if I got 50 years of "paused time" from now to do it, just seem to "overlook" many such basic "details"?

Is this another case of "we knew about it early on, and agree that it was not right, but people had begun expecting this bad behaviour from the function, and then we couldn’t change it, and as time went by, it became less and less possible"?

I’m very torn about things like this. This particular thing I find idiotic, but there is a good point against changing things around. Just look at the nightmare that is Python. I wouldn’t want to have to constantly try to re-read the manual for every single PHP function I use, wondering if PHP 8.1 or something has changed the parameter order around or something evil like that. If I have to choose between that or fix things myself, I choose the latter.

I just wish that language authors, and in particular PHP since it’s what I use, would just introduce some kind of "legacy mode" where the old/original versions of functions are kept around in the "engine", but only activated unless the user does `<?php8` for their scripts, or something like that. Or maybe set a configuration option, to make the source code files less ugly. That seems like a perfect compromise to me. Why is that not actually done?

Remote APIs, such as Stripe (payment-related), frequently have "versions" where old ones are supported for ages/ever, so why can’t local programming language engines also do that?

## Security of PHP’s str_shuffle()

I’m doing some research on PHP’s str_shuffle function, I already asked this question multiply times on StackOverflow but got no answer https://stackoverflow.com/questions/61968859/is-it-possible-to-predict-the-next-output-for-the-str-shuffle-function-in-php.

I’m interested in how would you break str_shuffle, since PHP’s docs states "It does not generate cryptographically secure random values", hence I’m guessing it can be compromised. But how? What I’ve tried so far is a bruteforce attack wrote about it here: https://stackoverflow.com/questions/62106860/bruteforcing-a-32-bit-seed-in-php

Why is str_shuffle() used so frequently for generating random tokens? I see alot of this kind of code:

``function generate(\$  letters, \$  length = 8) // \$  letters is a pool of characters and numbers { return substr(str_shuffle(\$  letters), 0, \$  length); } ``

Is this enough for security or not?

## Did PHP’s rand() get better?

I know that PHP used the system implementation for its `rand()` function, which is usually a weak LCG or LFSR implementation. Did this change? In case it still does, I am using Fedora 32.

PHP states in its documentation that `rand()` does not create cryptographically secure values.

I’ve written a small script, that creates a 400x400px PNG by randomly coloring pixels black or white:

``<?php  \$  resolution = 400;  header("Content-type: image/png"); \$  im = imagecreatetruecolor(\$  resolution, \$  resolution)     or die("Cannot Initialize new GD image stream");  \$  white = imagecolorallocate(\$  im, 255,255,255);  for (\$  y = 0; \$  y < \$  resolution; \$  y++) {     for (\$  x = 0; \$  x < \$  resolution; \$  x++) {         if (rand(0, 1)) {             imagesetpixel(\$  im, \$  x, \$  y, \$  white);         }     } } imagepng(\$  im); imagedestroy(\$  im);  ?> ``

I cannot see patterns anymore when using the function in PHP7.3 though. May there be patterns at a level I cannot display in my experiment?

`rand()`:

`random_int()`,

for use where unbiased results are critical

according to PHP’s docs

## Using a fix \$key and variable \$data vs partially variable \$key with fixed \$data in PHP’s hash_hmac()

This question was originally asked in stack overflow, but it was suggested to ask it here as well..

• not looking to improve on hash_hmac functionality. I’m rather interested in the `\$ uri` in the examples below..

The theory is that typically we create signed URI’s like

``\$  superSecret = 'abc'; \$  data = 'https://localhost/verify/{user-id}/{email}'; \$  hash = hash_hmac('sha256', \$  data, \$  superSecret);  \$  uri = \$  data . '/?hash=' . \$  hash; ``

Then we can validate the signature by recreating a hash, and calling `hash_equals()`. If any of part of the data string changed, `hash_equal()` returns false.

What happens if we switch some parameters around. This time instead of hashing different data, we hash the same data every time but with different keys.

I.e.

``\$  superSecret = 'abc' . \$  userId . \$  email; \$  data = 'https://localhost/verify'; \$  hash = hash_hmac('sha256', \$  data, \$  superSecret);  \$  uri  = \$  data; ``

The above are dumbed down generalized examples. But I’m more interested in, is the concept correct? Would using different keys to hash the same data be as secure as using different data hashed by the same key.

Keep in mind that the ‘abc’ of `\$ superSecret` is never exposed. `\$ user-id` and `\$ email` are concatenated onto the end of `\$ superSecret`

The original question for those interested https://stackoverflow.com/questions/60401068/is-using-a-variable-key-with-constant-data-as-secure-as-using-a-constant-key-wit?noredirect=1#comment106850148_60401068

## Python version of PHP’s read from URL

I am converting a PHP-wxWidgets app to Python-wxWidgets.
In PHP you can open and read from local files or remote internet streams, based on the “filename” parameter starting with one of several network protocols (http:// , ftp:// , ssh2://. ogg:// , etc).
For example:
fh1 = fopen(“/etc/hostname”)
fh2 = fopen(“https://www.whatismyip.com/”)

What is the equivalent in Python-2.7.15 , Python 3.6.7 ?