Avoid pseudo-random numbers

Este producto no es compatible con el sitio Datadog seleccionado. ().
Esta página aún no está disponible en español. Estamos trabajando en su traducción.
Si tienes alguna pregunta o comentario sobre nuestro actual proyecto de traducción, no dudes en ponerte en contacto con nosotros.

Metadata

ID: php-security/no-pseudo-random

Language: PHP

Severity: Error

Category: Security

CWE: 338

Description

This rule is a security-oriented rule that discourages the use of functions like rand() and mt_rand(). These functions generate pseudo-random numbers, which are not truly random and can be predictable, making them a weak choice for any situation where security is a concern, such as generating random passwords or tokens.

Using pseudo-random numbers can lead to vulnerabilities in your code. An attacker might be able to predict the output of these functions and exploit this predictability.

To maintain secure coding practices, you can use the random_int() function instead. This function generates cryptographically secure random integers, making it a much safer choice. For example, instead of using $var = rand();, you can use $var = random_int(20, 40);. By following this rule, you can help to ensure that your code is as secure as possible.

Non-Compliant Code Examples

<?php
$var = rand();
$var = mt_rand(20, 40);

Compliant Code Examples

<?php
$var = random_int(20, 40);
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Integraciones sin problemas. Prueba Datadog Code Security

Datadog Code Security