Is it possible to predict rand(0,10) in PHP?

Question

I have a script where I use the rand function in PHP. Now I read some ghost stories that its real easy to predict those outcomes. Is this possible from the client-side?

Answer 1

I think that you may want to differentiate between secure and secure enough. The answer to your question about prediction is "yes," it is possible to predict numbers generated from a pseudo random number generator. However, I think that the more important question is how likely this is to occur. What are you trying to protect from prediction? If you are running a massive online gaming website it is probably more important to have true randomness than if you are running a small MUD server. It is more important because the consequences of a user breaking the pattern are more severe and there is a higher likelihood that a user will have the motivation to spend time attacking your algorithm.

You might also want to look at the services of Random.org. They provide an API that allows you to pull true random numbers from their servers. They get their entropy from atmospheric noise, which should be unpredictable at least as far as your users are concerned.

http://www.random.org/clients/http/