---
title: Avoid pseudo-random numbers
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Static Code Analysis (SAST) > SAST
  Rules > Avoid pseudo-random numbers
---

# Avoid pseudo-random numbers

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site). ().
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**ID:** `php-security/no-pseudo-random`

**Language:** PHP

**Severity:** Error

**Category:** Security

**CWE**: [338](https://cwe.mitre.org/data/definitions/338.html)

## Description{% #description %}

This rule is a security-oriented rule that discourages the use of functions like `rand()` and `mt_rand()`. These functions generate pseudo-random numbers, which are not truly random and can be predictable, making them a weak choice for any situation where security is a concern, such as generating random passwords or tokens.

Using pseudo-random numbers can lead to vulnerabilities in your code. An attacker might be able to predict the output of these functions and exploit this predictability.

To maintain secure coding practices, you can use the `random_int()` function instead. This function generates cryptographically secure random integers, making it a much safer choice. For example, instead of using `$var = rand();`, you can use `$var = random_int(20, 40);`. By following this rule, you can help to ensure that your code is as secure as possible.

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```php
<?php
$var = rand();
$var = mt_rand(20, 40);
```

## Compliant Code Examples{% #compliant-code-examples %}

```php
<?php
$var = random_int(20, 40);
```
  Seamless integrations. Try Datadog Code SecurityDatadog Code Security 
{% icon name="icon-external-link" /%}