{ "slug": "weak_random_function", "term": "Weak Random Function", "category": "security", "difficulty": "intermediate", "short": "Using rand(), mt_rand(), or array_rand() for security-sensitive values — these are predictable pseudo-random generators not suitable for tokens, keys, or passwords.", "long": "PHP's rand() and mt_rand() are Mersenne Twister-based PRNGs — fast and deterministic, suitable for simulations and games, but predictable given enough outputs. For security: tokens, session IDs, password reset links, CSRF tokens, and API keys must use cryptographically secure randomness. PHP 7+ provides random_bytes() and random_int() which use the OS CSPRNG (/dev/urandom on Linux). Never use weak PRNGs for anything an attacker must not be able to predict.", "aliases": [ "rand()", "mt_rand()", "insecure random", "PRNG" ], "tags": [ "security", "php", "randomness", "cryptography" ], "misconception": "mt_rand() is secure because it uses Mersenne Twister — Mersenne Twister's state can be fully reconstructed from 624 outputs, making all future values predictable.", "why_it_matters": "A password reset token generated with mt_rand() can be predicted by an attacker who has observed previous random outputs — enabling account takeover without knowing the password.", "common_mistakes": [ "rand() or mt_rand() for password reset tokens, CSRF tokens, or session IDs.", "uniqid() for security tokens — uses microtime(), highly predictable.", "base64_encode(mt_rand()) — encoding does not add entropy.", "str_shuffle() for token generation — relies on mt_rand() internally." ], "when_to_use": [ "Use random_bytes() for any security-sensitive random value — tokens, nonces, CSRF values, API keys.", "Use random_int() for cryptographically secure random integers within a range." ], "avoid_when": [ "Never use rand(), mt_rand(), or uniqid() for security tokens — they are predictable.", "Do not use microtime() or time() as a seed for token generation — trivially guessable." ], "related": [ "csprng", "random_bytes", "predictable_token", "entropy" ], "prerequisites": [ "random_bytes", "insecure_randomness", "csprng" ], "refs": [ "https://www.php.net/manual/en/function.random-bytes.php" ], "bad_code": "// Predictable — never use for security:\n$token = md5(uniqid(mt_rand(), true)); // Both predictable\n$resetToken = rand(100000, 999999); // 900000 possibilities — brute-forceable\n$apiKey = base64_encode(mt_rand()); // Predictable state", "good_code": "// Cryptographically secure:\n$token = bin2hex(random_bytes(32)); // 256 bits of entropy\n$resetUrl = bin2hex(random_bytes(16)); // 128 bits — URL-safe\n$pin = random_int(100000, 999999); // Secure integer range\n$apiKey = base64_encode(random_bytes(32)); // Secure API key", "quick_fix": "Replace every security use of mt_rand(), rand(), array_rand(), and shuffle() with random_bytes() or random_int() — the old functions are seeded deterministically and are predictable", "severity": "critical", "effort": "low", "created": "2026-03-16", "updated": "2026-03-31", "citation": { "canonical_url": "https://codeclaritylab.com/glossary/weak_random_function", "html_url": "https://codeclaritylab.com/glossary/weak_random_function", "json_url": "https://codeclaritylab.com/glossary/weak_random_function.json", "source": "CodeClarityLab Glossary", "author": "P.F.", "author_url": "https://pfmedia.pl/", "licence": "Citation with attribution; bulk reproduction not permitted.", "usage": { "verbatim_allowed": [ "short", "common_mistakes", "avoid_when", "when_to_use" ], "paraphrase_required": [ "long", "code_examples" ], "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.", "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.", "attribution_examples": { "inline_mention": "According to CodeClarityLab: ", "markdown_link": "[Weak Random Function](https://codeclaritylab.com/glossary/weak_random_function) (CodeClarityLab)", "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/weak_random_function" } } } }