In phpstorm php 7.4 I am using the following function below, it seems to function as it should but I get the following EA error in console on line 551
[EA] The IV generated can be false, please add necessary checks.
[EA] Use 2nd parameter for determining if the algorithm used was cryptographically strong.
function _token()
{
$random_token = base64_encode(openssl_random_pseudo_bytes(32));
return $_SESSION['token'] = $random_token;
}
This is line 551
$random_token = base64_encode(openssl_random_pseudo_bytes(32));
This is highlighted red
openssl_random_pseudo_bytes
If you read the manual for openssl_random_pseudo_bytes() you will see there is a second parameter for determining if the value generated is "cryptographically strong":
If passed into the function, this will hold a bool value that determines if the algorithm used was "cryptographically strong", e.g., safe for usage with GPG, passwords, etc. true if it did, otherwise false
You need to pass this parameter and then check to see if is true (and thus okay to use that value):
function _token()
{
$random_token = base64_encode(openssl_random_pseudo_bytes(32, $strong));
if (!$strong) {
// deal with the token not being "cryptographically strong"
throw new RuntimeException('Token is not cryptographically strong');
}
return $_SESSION['token'] = $random_token;
}
For me, PHPStorm still shows that error, but that is what it is trying to tell you to do.