On Thu, Feb 2, 2017 at 10:24 PM, Christoph M. Becker <cmbecke...@gmx.de> wrote:
> On 02.02.2017 at 12:51, Yasuo Ohgaki wrote: > > > Although users must never do this, but there are codes that generate > random > > password/access key by mt_rand(). > > There is also code that stores clear text passwords. How would you > prevent that? > > IMHO, if users don't care to read the docs[1], it's their fault, and we > shouldn't waste our time to fix their bugs. I totally agree. However, there are valid usage like a.php <?php // I need static random sequence srand(1234); for ($i = 0; $i < 10; $i++) $rand[] = rand(); ?> b.php <?php // I need random sequence, let PHP seed it for ($i = 0; $i < 10; $i++) $better_rand[] = mt_rand(); // VALID USAGE // I'm going to randomize which quiz is displayed ?> This is unacceptable BC in PHP 7.1. For PHP 7.1, there must be rand() own state at least. This was discussed in other thread, "Reseeding rand()/mt_rand()". User and system seed should be separated and independent. Anyway, which code must be fixed, a.php or b.php in such case? Suppose you are drupal (or any apps) module developer and using mt_rand() that requires random values. Someone else wants to use static random sequence, which is rare usage compare to plain mt_rand() call w/o user seed, then suddenly your code became broken. IMO, a.php must be fixed. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net
