Update random_string with random_bytes

- Updated update.php

include/text.php

@@ -41,18 +41,28 @@ function replace_macros($s, $r) {
 	return $output;
 }
 
+// PHP < 7 polyfill
+if (!is_callable('intdiv')) {
+	function intdiv($a, $b) {
+		return ($a - $a % $b) / $b;
+	}
+}
 
-// random string, there are 86 characters max in text mode, 128 for hex
-// output is urlsafe
+/**
+ * @brief Generates a pseudo-random string of hexadecimal characters
+ *
+ * Only supports pair numbers of output characters.
+ *
+ * @param int $size
+ * @return string
+ */
+function random_string($size = 64)
+{
+	$bytes = random_bytes(intdiv((int) $size, 2));
 
-define('RANDOM_STRING_HEX',  0x00);
-define('RANDOM_STRING_TEXT', 0x01);
+	$return = bin2hex($bytes);
 
-function random_string($size = 64, $type = RANDOM_STRING_HEX) {
-	// generate a bit of entropy and run it through the whirlpool
-	$s = hash('whirlpool', (string) rand() . uniqid(rand(),true) . (string) rand(), (($type == RANDOM_STRING_TEXT) ? true : false));
-	$s = (($type == RANDOM_STRING_TEXT) ? str_replace("\n", "", base64url_encode($s,true)) : $s);
-	return substr($s,0,$size);
+	return $return;
 }
 
 /**

update.php

@@ -616,7 +616,7 @@ function update_1075() {
 		foreach ($r as $rr) {
 			$found = true;
 			do {
-				$guid = substr(random_string(),0,16);
+				$guid = random_string(16);
 				$x = q("SELECT `uid` FROM `user` WHERE `guid` = '%s' LIMIT 1",
 					dbesc($guid)
 				);