PHPackages yiisoft/security - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Framework](/categories/framework) 4. / 5. yiisoft/security ActiveLibrary[Framework](/categories/framework) yiisoft/security ================ Security utilities 1.2.0(5mo ago)43451.3k—7.5%106BSD-3-ClausePHPPHP 8.1 - 8.5CI passing Since Oct 31Pushed 5mo ago17 watchersCompare [ Source](https://github.com/yiisoft/security)[ Packagist](https://packagist.org/packages/yiisoft/security)[ Docs](https://www.yiiframework.com/)[ GitHub Sponsors](https://github.com/sponsors/yiisoft)[ OpenCollective](https://opencollective.com/yiisoft)[ RSS](/packages/yiisoft-security/feed)WikiDiscussions master Synced 1mo ago READMEChangelog (3)Dependencies (6)Versions (6)Used By (6) [ ![Yii](https://camo.githubusercontent.com/8317c17418b39410a660f5149071d26c5023c0d5fb2b7ebb771324812f666d73/68747470733a2f2f796969736f66742e6769746875622e696f2f646f63732f696d616765732f7969695f6c6f676f2e737667) ](https://github.com/yiisoft) Yii Security ============ [](#yii-security) [![Latest Stable Version](https://camo.githubusercontent.com/f9cbc6a83a602629c78a36df2a49322cc5d41e9689d6e71f556ef7d56b53b769/68747470733a2f2f706f7365722e707567782e6f72672f796969736f66742f73656375726974792f76)](https://packagist.org/packages/yiisoft/security)[![Total Downloads](https://camo.githubusercontent.com/e08ecafaa33dd8bd7ca8733e26e3dd61ad9a996cd7377de77be071e4b59c712e/68747470733a2f2f706f7365722e707567782e6f72672f796969736f66742f73656375726974792f646f776e6c6f616473)](https://packagist.org/packages/yiisoft/security)[![Build status](https://github.com/yiisoft/security/actions/workflows/build.yml/badge.svg)](https://github.com/yiisoft/security/actions/workflows/build.yml)[![Code Coverage](https://camo.githubusercontent.com/3f65ba43d091b5df4fd17b3b4a29ff10211573c09639155c3aae044c3e41a1ff/68747470733a2f2f636f6465636f762e696f2f67682f796969736f66742f73656375726974792f67726170682f62616467652e7376673f746f6b656e3d504c44544c454a373832)](https://codecov.io/gh/yiisoft/security)[![Mutation testing badge](https://camo.githubusercontent.com/c80a994e73132a092701dccbe09bc28b98492d611e5b60e1fe04a0bbc5eeb2bd/68747470733a2f2f696d672e736869656c64732e696f2f656e64706f696e743f7374796c653d666c61742675726c3d687474707325334125324625324662616467652d6170692e737472796b65722d6d757461746f722e696f2532466769746875622e636f6d253246796969736f667425324673656375726974792532466d6173746572)](https://dashboard.stryker-mutator.io/reports/github.com/yiisoft/security/master)[![static analysis](https://github.com/yiisoft/security/workflows/static%20analysis/badge.svg)](https://github.com/yiisoft/security/actions?query=workflow%3A%22static+analysis%22)[![type-coverage](https://camo.githubusercontent.com/8ace745e5a4dfa54f16e9a21be9430185aafb26755b43902d43a9f963d0481f2/68747470733a2f2f73686570686572642e6465762f6769746875622f796969736f66742f73656375726974792f636f7665726167652e737667)](https://shepherd.dev/github/yiisoft/security) Security package provides a set of classes to handle common security-related tasks: - Random values generation - Password hashing and validation - Encryption and decryption - Data tampering prevention - Masking token length Requirements ------------ [](#requirements) - PHP 8.1 - 8.5. - `hash` PHP extension. - `openssl` PHP extension. Installation ------------ [](#installation) The package could be installed with [Composer](https://getcomposer.org): ``` composer require yiisoft/security ``` General usage ------------- [](#general-usage) ### Random values generation [](#random-values-generation) In order to generate a string that is 42 characters long use: ``` $randomString = Random::string(42); ``` The following extras are available via PHP directly: - `random_bytes()` for bytes. Note that output may not be ASCII. - `random_int()` for integers. ### Password hashing and validation [](#password-hashing-and-validation) Working with passwords includes two steps. Saving password hashes: ``` $hash = (new PasswordHasher())->hash($password); // save hash to database or another storage saveHash($hash); ``` Validating password against the hash: ``` // obtain hash from database or another storage $hash = getHash(); $result = (new PasswordHasher())->validate($password, $hash); ``` ### Encryption and decryption by password [](#encryption-and-decryption-by-password) Encrypting data: ``` $encryptedData = (new Crypt())->encryptByPassword($data, $password); // save data to database or another storage saveData($encryptedData); ``` Decrypting it: ``` // obtain encrypted data from database or another storage $encryptedData = getEncryptedData(); $data = (new Crypt())->decryptByPassword($encryptedData, $password); ``` ### Encryption and decryption by key [](#encryption-and-decryption-by-key) Encrypting data: ``` $encryptedData = (new Crypt())->encryptByKey($data, $key); // save data to database or another storage saveData($encryptedData); ``` Decrypting it: ``` // obtain encrypted data from database or another storage $encryptedData = getEncryptedData(); $data = (new Crypt())->decryptByKey($encryptedData, $key); ``` ### Data tampering prevention [](#data-tampering-prevention) MAC signing could be used in order to prevent data tampering. The `$key` should be present at both sending and receiving sides. At the sending side: ``` $signedMessage = (new Mac())->sign($message, $key); sendMessage($signedMessage); ``` At the receiving side: ``` $signedMessage = receiveMessage($signedMessage); try { $message = (new Mac())->getMessage($signedMessage, $key); } catch (\Yiisoft\Security\DataIsTamperedException $e) { // data is tampered } ``` ### Masking token length [](#masking-token-length) Masking a token helps to mitigate BREACH attack by randomizing how token outputted on each request. A random mask applied to the token making the string always unique. In order to mask a token: ``` $maskedToken = \Yiisoft\Security\TokenMask::apply($token); ``` In order to get original value from the masked one: ``` $token = \Yiisoft\Security\TokenMask::remove($maskedToken); ``` ### Native PHP functionality [](#native-php-functionality) Additionally to this library methods, there is a set of handy native PHP methods. #### Timing attack resistant string comparison [](#timing-attack-resistant-string-comparison) Comparing strings as usual is not secure when dealing with user inputed passwords or key phrases. Usual string comparison return as soon as a difference between the strings is found so attacker could efficiently brute-force character by character going to the next one as soon as response time increases. There is a special function in PHP that compares strings in a constant time: ``` hash_equals($expected, $actual); ``` Documentation ------------- [](#documentation) - [Internals](docs/internals.md) If you need help or have a question, the [Yii Forum](https://forum.yiiframework.com/c/yii-3-0/63) is a good place for that. You may also check out other [Yii Community Resources](https://www.yiiframework.com/community). License ------- [](#license) The Yii Security is free software. It is released under the terms of the BSD License. Please see [`LICENSE`](./LICENSE.md) for more information. Maintained by [Yii Software](https://www.yiiframework.com/). Support the project ------------------- [](#support-the-project) [![Open Collective](https://camo.githubusercontent.com/a2b15f8e2268d4e3842e00d41ff7a57cce2ad8bd8d8769c5dc4fa05a546a4f62/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f4f70656e253230436f6c6c6563746976652d73706f6e736f722d3765616466313f6c6f676f3d6f70656e253230636f6c6c656374697665266c6f676f436f6c6f723d376561646631266c6162656c436f6c6f723d353535353535)](https://opencollective.com/yiisoft) Follow updates -------------- [](#follow-updates) [![Official website](https://camo.githubusercontent.com/d6b0929173e28cc627430d2519ca1853466a70f37395877eaf4820cb3e1e1909/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f506f77657265645f62792d5969695f4672616d65776f726b2d677265656e2e7376673f7374796c653d666c6174)](https://www.yiiframework.com/)[![Twitter](https://camo.githubusercontent.com/d077c362ac639792171af8bc002ee827816733dfc0925f70b557e6d151022226/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f747769747465722d666f6c6c6f772d3144413146323f6c6f676f3d74776974746572266c6f676f436f6c6f723d314441314632266c6162656c436f6c6f723d3535353535353f7374796c653d666c6174)](https://twitter.com/yiiframework)[![Telegram](https://camo.githubusercontent.com/4e38dd12535575c39c65bea7119b95e663abb2d1f4e3d669a27bbda07ef603f0/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f74656c656772616d2d6a6f696e2d3144413146323f7374796c653d666c6174266c6f676f3d74656c656772616d)](https://t.me/yii3en)[![Facebook](https://camo.githubusercontent.com/48204e301b34b29b0815854544f04c337fc0692096cab35e9a1f8c53a42c2307/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f66616365626f6f6b2d6a6f696e2d3144413146323f7374796c653d666c6174266c6f676f3d66616365626f6f6b266c6f676f436f6c6f723d666666666666)](https://www.facebook.com/groups/yiitalk)[![Slack](https://camo.githubusercontent.com/1a3645ba1c97e6684d0349bc478201e1621ba0d3efad516d81035364d442bad7/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f736c61636b2d6a6f696e2d3144413146323f7374796c653d666c6174266c6f676f3d736c61636b)](https://yiiframework.com/go/slack) ### Health Score 60 — FairBetter than 99% of packages Maintenance71 Regular maintenance activity Popularity49 Moderate usage in the ecosystem Community35 Small or concentrated contributor base Maturity75 Established project with proven stability Bus Factor1 Top contributor holds 51.3% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~462 days Total 5 Last Release 174d ago PHP version history (3 changes)1.0.0PHP ^7.4|^8.0 1.1.0PHP 8.1 - 8.4 1.2.0PHP 8.1 - 8.5 ### Community Maintainers ![](https://www.gravatar.com/avatar/261a6249c6f605f3956a2fae40fbb813f6b2e1e6f2bf806180c851a965426e54?d=identicon)[cebe](/maintainers/cebe) ![](https://www.gravatar.com/avatar/fc29e4e7068a00fe9b9db37b8aadda1db6020adcacef810461e47b99c2b150e6?d=identicon)[samdark](/maintainers/samdark) ![](https://www.gravatar.com/avatar/ccb75e3312d6bd454ea445ea308139fd185a4ca906ca5df21cc66e6a35de25a3?d=identicon)[SilverFire](/maintainers/SilverFire) ![](https://www.gravatar.com/avatar/99106256c24a8cb23871b99fa90e48f37f1aa71608c185759b7d2a88683a5918?d=identicon)[hiqsol](/maintainers/hiqsol) --- Top Contributors [![samdark](https://avatars.githubusercontent.com/u/47294?v=4)](https://github.com/samdark "samdark (58 commits)")[![vjik](https://avatars.githubusercontent.com/u/525501?v=4)](https://github.com/vjik "vjik (19 commits)")[![devanych](https://avatars.githubusercontent.com/u/20116244?v=4)](https://github.com/devanych "devanych (8 commits)")[![xepozz](https://avatars.githubusercontent.com/u/6815714?v=4)](https://github.com/xepozz "xepozz (6 commits)")[![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?v=4)](https://github.com/dependabot[bot] "dependabot[bot] (4 commits)")[![Fantom409](https://avatars.githubusercontent.com/u/14968877?v=4)](https://github.com/Fantom409 "Fantom409 (3 commits)")[![roxblnfk](https://avatars.githubusercontent.com/u/4152481?v=4)](https://github.com/roxblnfk "roxblnfk (3 commits)")[![terabytesoftw](https://avatars.githubusercontent.com/u/42547589?v=4)](https://github.com/terabytesoftw "terabytesoftw (2 commits)")[![Arhell](https://avatars.githubusercontent.com/u/26163841?v=4)](https://github.com/Arhell "Arhell (2 commits)")[![luizcmarin](https://avatars.githubusercontent.com/u/67489841?v=4)](https://github.com/luizcmarin "luizcmarin (2 commits)")[![dependabot-preview[bot]](https://avatars.githubusercontent.com/in/2141?v=4)](https://github.com/dependabot-preview[bot] "dependabot-preview[bot] (2 commits)")[![Gerych1984](https://avatars.githubusercontent.com/u/90403480?v=4)](https://github.com/Gerych1984 "Gerych1984 (1 commits)")[![dehbka](https://avatars.githubusercontent.com/u/16839017?v=4)](https://github.com/dehbka "dehbka (1 commits)")[![alexkart](https://avatars.githubusercontent.com/u/8249105?v=4)](https://github.com/alexkart "alexkart (1 commits)")[![viktorprogger](https://avatars.githubusercontent.com/u/7670669?v=4)](https://github.com/viktorprogger "viktorprogger (1 commits)") --- Tags decryptionencryptionhacktoberfestmaskingpasswordrandomsecuritysignaturetamperingtokenyii3randomsecurityencryptionsignaturepasswordhashMACdecryptiontoken masking ### Code Quality TestsPHPUnit Static AnalysisRector ### Embed Badge ![Health badge](/badges/yiisoft-security/health.svg) ``` [![Health](https://phpackages.com/badges/yiisoft-security/health.svg)](https://phpackages.com/packages/yiisoft-security) ``` ### Alternatives [phpseclib/phpseclib PHP Secure Communications Library - Pure-PHP implementations of RSA, AES, SSH2, SFTP, X.509 etc. 5.6k434.8M1.3k](/packages/phpseclib-phpseclib)[cakephp/utility CakePHP Utility classes such as Inflector, String, Hash, and Security 12127.1M63](/packages/cakephp-utility)[ass/xmlsecurity The XmlSecurity library is written in PHP for working with XML Encryption and Signatures 955.6M30](/packages/ass-xmlsecurity)[passwordlib/passwordlib A Password Hashing Library 377220.6k6](/packages/passwordlib-passwordlib)[nzo/url-encryptor-bundle The NzoUrlEncryptorBundle is a Symfony Bundle used to Encrypt and Decrypt data and variables in the Web application or passed through URL 961.0M2](/packages/nzo-url-encryptor-bundle)[paragonie/password_lock Wraps Bcrypt-SHA2 in Authenticated Encryption 19348.7k1](/packages/paragonie-password-lock) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)