Asked  7 Months ago    Answers:  5   Viewed   28 times

I know that just using rand() is predictable, if you know what you're doing, and have access to the server.

I have a project that is highly dependent upon choosing a random number that is as unpredictable as possible. So I'm looking for suggestions, either other built-in functions or user functions, that can generate a better random number.

I used this to do a little test:

$i = 0;

while($i < 10000){
    $rand = rand(0, 100);

    if(!isset($array[$rand])){
        $array[$rand] = 1;
    } else {
        $array[$rand]++;
    }

    sort($array);
    $i++;
}

I found the results to be evenly distributed, and there is an odd pattern to the number of times each number is generated.

 Answers

63

Adding, multiplying, or truncating a poor random source will give you a poor random result. See Introduction to Randomness and Random Numbers for an explanation.

You're right about PHP rand() function. See the second figure on Statistical Analysis for a striking illustration. (The first figure is striking, but it's been drawn by Scott Adams, not plotted with rand()).

One solution is to use a true random generator such as random.org. Another, if you're on Linux/BSD/etc. is to use /dev/random. If the randomness is mission critical, you will have to use a hardware random generator.

Wednesday, March 31, 2021
 
Smandoli
answered 7 Months ago
98

Is it a wise and practical approach to keep php files outside the public folder to restrict possible access by attackers?

Yes.

If yes, is it common?

Yes.

but if it is beneficial for improve security,

Your PHP app will typically consist of many individual files. Usually, these will get included from other files. For example, you might have:

index.php
lib/db.php
lib/auth.php

In this example, since all the files are in the document root, an external user could hit the url http://domain.com/lib/auth.php and run that include file directly, independent of the auth system that's supposed to be sourcing it. Will it do anything bad when run by itself? Probably not. But to be safe, you should move the include files outside document root, thus making it impossible for the web server to serve them directly.

(Note that this vulnerability is not exclusive to PHP, and thus keeping your libs outside document root is a good practice, regardless of platform.)

Wednesday, March 31, 2021
 
sassy_geekette
answered 7 Months ago
68

It's just a warning to show that there is no password for the default user root. If you want to set password for root:

  1. Open phpmyadmin interface
  2. Click "Users" tab
  3. Select user "root"
  4. Edit Privileges
  5. Change password
Saturday, May 29, 2021
 
Lance
answered 5 Months ago
83

You can use array_multisort to order the array values by a second array of mt_rand values:

$arr = array(1,2,3,4,5,6);

mt_srand('123');
$order = array_map(create_function('$val', 'return mt_rand();'), range(1, count($arr)));
array_multisort($order, $arr);

var_dump($arr);

Here $order is an array of mt_rand values of the same length as $arr. array_multisort sorts the values of $order and orders the elements of $arr according to the order of the values of $order.

Friday, July 16, 2021
 
Rocket
answered 4 Months ago
83
<?php
  $min=1;
  $max=20;
  echo rand($min,$max);
?>
Monday, August 2, 2021
 
muaaz
answered 3 Months ago
Only authorized users can answer the question. Please sign in first, or register a free account.
Not the answer you're looking for? Browse other questions tagged :