encoding
Table of Contents
Functions
- base64UrlDecode() : string|false
- Decodes a base64url-encoded string (RFC 4648 §5).
- base64UrlEncode() : string
- Encodes binary data into a base64url string (RFC 4648 §5).
- hexDecode() : string|false
- Decodes a hexadecimal string into raw bytes.
- hexEncode() : string
- Encodes binary data into a lowercase hexadecimal string.
- randomBase64Url() : string
- Generates a cryptographically secure random token, encoded in base64url (RFC 4648 §5, URL-safe, no padding).
- randomHex() : string
- Generates a cryptographically secure random token, encoded as a lowercase hexadecimal string.
Functions
base64UrlDecode()
Decodes a base64url-encoded string (RFC 4648 §5).
base64UrlDecode(string $value) : string|false
The decoder is permissive on padding but strict on alphabet:
- Inputs in canonical URL-safe form (no trailing
=) are accepted. - Inputs that still carry the standard padding (
=,==) are also accepted, for interoperability with implementations that emit padded base64url. - Any character outside
[A-Za-z0-9_\-](or=only as trailing padding) causes the function to returnfalse. This includes+,/, whitespace, newlines, control characters and any non-ASCII byte.
The function is binary-safe: it operates on ASCII bytes regardless of the
current mbstring.func_overload setting or locale.
The function does not raise exceptions ; it mirrors the contract of
base64_decode() and returns false on any invalid input.
Note: when comparing a decoded value to a known secret (e.g. an HMAC tag), always use a constant-time comparison such as hash_equals() ; this function itself does not perform any cryptographic comparison.
Parameters
- $value : string
-
The base64url string to decode. May be empty.
Tags
Return values
string|false —The decoded raw bytes, or false if $value is not a
valid base64url string.
base64UrlEncode()
Encodes binary data into a base64url string (RFC 4648 §5).
base64UrlEncode(string $binary) : string
The output uses the URL- and filename-safe alphabet (- and _ instead of
+ and /) and omits the trailing = padding, producing the canonical
URL-safe form used by JWT/JOSE, WebPush, signed URLs, etc.
The function is binary-safe: any byte sequence is accepted, including
null bytes and arbitrary UTF-8.
Parameters
- $binary : string
-
Raw bytes to encode. May be empty.
Tags
Return values
string —The base64url-encoded representation, without padding.
Always a subset of [A-Za-z0-9_-].
hexDecode()
Decodes a hexadecimal string into raw bytes.
hexDecode(string $value) : string|false
Strict, warning-free counterpart of hex2bin() :
- Accepts both lowercase and uppercase digits (
[0-9a-fA-F]). - Requires an even number of characters ; an odd length yields
false. - Rejects any character outside the hex alphabet (including whitespace and
non-ASCII bytes) with
falseinstead of PHP's native warning. - The empty string decodes to the empty string.
The function does not raise exceptions ; it returns false on any invalid
input, mirroring the contract of base64UrlDecode().
Note: when comparing a decoded value to a known secret (e.g. an HMAC tag), always use hash_equals() for constant-time comparison.
Parameters
- $value : string
-
The hexadecimal string to decode. May be empty.
Tags
Return values
string|false —The decoded raw bytes, or false if $value is not a
valid hexadecimal string of even length.
hexEncode()
Encodes binary data into a lowercase hexadecimal string.
hexEncode(string $binary) : string
Thin wrapper around bin2hex() provided for API symmetry with the other helpers of this package (hexDecode(), base64UrlEncode()).
The function is binary-safe and always produces lowercase output, which matches the convention used for hashes, tokens and HMAC tags across the Oihana ecosystem.
Parameters
- $binary : string
-
Raw bytes to encode. May be empty.
Tags
Return values
string —A string of [0-9a-f] characters, twice as long as $binary.
randomBase64Url()
Generates a cryptographically secure random token, encoded in base64url (RFC 4648 §5, URL-safe, no padding).
randomBase64Url([int $bytes = 32 ]) : string
The function reads $bytes of entropy from random_bytes() (a CSPRNG)
and encodes the result with base64UrlEncode(). The output is safe to
use in URLs, HTTP headers, filenames, JWT identifiers, OAuth state/nonce,
CSRF tokens and similar contexts.
Output length is ceil( $bytes * 4 / 3 ) characters (without padding).
Default $bytes = 32 yields 256 bits of entropy → 43 characters, which is
the recommended size for cryptographic tokens.
Parameters
- $bytes : int = 32
-
Number of random bytes to generate. Must be
>= 1. Defaults to 32 (256 bits of entropy).
Tags
Return values
string —The base64url-encoded random token. Always a subset of
[A-Za-z0-9_-].
randomHex()
Generates a cryptographically secure random token, encoded as a lowercase hexadecimal string.
randomHex([int $bytes = 32 ]) : string
The function reads $bytes of entropy from random_bytes() (a CSPRNG)
and encodes the result with bin2hex(). The output is safe to use in
URLs, logs, filenames, correlation/request IDs, JWT jti, refresh tokens
and similar contexts.
Output length is exactly 2 * $bytes characters. Default $bytes = 32
yields 256 bits of entropy → 64 characters.
For shorter URL-friendly tokens at equivalent entropy, prefer randomBase64Url().
Parameters
- $bytes : int = 32
-
Number of random bytes to generate. Must be
>= 1. Defaults to 32 (256 bits of entropy).
Tags
Return values
string —Lowercase hexadecimal string of length 2 * $bytes.