- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
ID: php-security/no-pseudo-random
Language: PHP
Severity: Error
Category: Security
CWE: 338
This rule is a security-oriented rule that discourages the use of functions like rand()
and mt_rand()
. These functions generate pseudo-random numbers, which are not truly random and can be predictable, making them a weak choice for any situation where security is a concern, such as generating random passwords or tokens.
Using pseudo-random numbers can lead to vulnerabilities in your code. An attacker might be able to predict the output of these functions and exploit this predictability.
To maintain secure coding practices, you can use the random_int()
function instead. This function generates cryptographically secure random integers, making it a much safer choice. For example, instead of using $var = rand();
, you can use $var = random_int(20, 40);
. By following this rule, you can help to ensure that your code is as secure as possible.
<?php
$var = rand();
$var = mt_rand(20, 40);
<?php
$var = random_int(20, 40);
|
|
For more information, please read the Code Analysis documentation
Identify code vulnerabilities directly in yourVS Code editor
Identify code vulnerabilities directly inJetBrains products