Generate cryptographically secure random numbers in php

Question

PHP\'s rand() function doesn\'t give good random numbers. So I started to use mt_rand() which is said to give better results. But how good are thes

Answer 1

If you don't like PHP's built in rand(), you probably shouldn't use their built-in shuffle() either, since it seems to be built on their rand().

I am halfway sure the "industry standard" shuffle now is the Fisher-Yates shuffle.

Answer 2

I'm not sure that what you've done "improves" the randomness. From what I can understand you generate 100 random numbers and then randomly pick one of them.

From what I can remember from my probability course, this probably doesn't increase the randomness, as if there is an underlying bias in the generator function (mt_rand()), then it will still be reflected somehow in the output.

Answer 3

It all depends what for you need that random number :) For me ShuffleBag is the best one :)

Answer 4

use /dev/ramdom (linux device true random number generator) to seed mt_rand

<?
$rnd_dev=mcrypt_create_iv(4, MCRYPT_DEV_RANDOM); //need "apt-get install php5-mcrypt"
$seed=ord(substr($rnd_dev, 0, 1))<<24 |
      ord(substr($rnd_dev, 1, 1))<<16 |
      ord(substr($rnd_dev, 2, 1))<<8 |
      ord(substr($rnd_dev, 3, 1));
mt_srand($seed);
echo mt_rand();
?>

Answer 5

<?php
  function random_number(){
      return 4; // return generated number
                // guaranteed to be random
  }
  ?>

All joking aside, you're getting into a philosophical question of what is "random" or what is "best". Ideally you'd want your random numbers to have few patterns in them over the course of your procedure. Generally system time is used as the seed, but I've also used the previous random number as the seed, the previous random numberth ago as the seed. The problem is, with a powerful enough computer and full knowledge of the hardware running, and generator function, you would be able to predict the entire set of numbers generated. Thus if you had a powerful enough computer (some people put God into this category) that knew all possible variables and functions of the universe you would then be able to predict every event that happened or will happen. Most random number generators are fine on their own but if you know someone who can see the patterns, more likely they are like the guy in Beautiful Mind and you should get them checked into a clinic.

By popular demand :D

Answer 6

Edit: My comment is no longer valid. Please see the following answer: https://stackoverflow.com/a/31443898/109561

---

I'm guessing you're worried about the distribution of mt_rand(). I have tested it and it is very level and both bounds are inclusive.

I added my test to the comments of the documentation for mt_rand() on the php manual, but it was removed by a silly moderator due to politics that are too long winded to go into here.