common_good_rand was _not_ a "good rand", only hex

0-F isn't random enough to be called rand, so we rename the function
to avoid confusion with something that is actually good at random.

lib/util.php

@@ -1550,15 +1550,25 @@ function common_root_url($ssl=false)
 /**
  * returns $bytes bytes of random data as a hexadecimal string
  * "good" here is a goal and not a guarantee
+ *
+ * TODO: Find and replace all calls to this with common_random_hexstr
  */
 function common_good_rand($bytes)
 {
-    // XXX: use random.org...?
+    return common_random_hexstr($bytes);
-    if (@file_exists('/dev/urandom')) {
+}
-        return common_urandom($bytes);
+
-    } else { // FIXME: this is probably not good enough
+function common_random_hexstr($bytes)
-        return common_mtrand($bytes);
+{
+    $str = @file_exists('/dev/urandom')
+            ? common_urandom($bytes)
+            : common_mtrand($bytes);
+
+    $hexstr = '';
+    for ($i = 0; $i < $bytes; $i++) {
+        $hexstr .= sprintf("%02x", ord($str{$i}));
     }
+    return $hexstr;
 }
 
 function common_urandom($bytes)
@@ -1567,20 +1577,16 @@ function common_urandom($bytes)
     // should not block
     $src = fread($h, $bytes);
     fclose($h);
-    $enc = '';
+    return $src;
-    for ($i = 0; $i < $bytes; $i++) {
-        $enc .= sprintf("%02x", (ord($src[$i])));
-    }
-    return $enc;
 }
 
 function common_mtrand($bytes)
 {
-    $enc = '';
+    $str = '';
     for ($i = 0; $i < $bytes; $i++) {
-        $enc .= sprintf("%02x", mt_rand(0, 255));
+        $str .= chr(mt_rand(0, 255));
     }
-    return $enc;
+    return $str;
 }
 
 /**