Hi, On Mon, Apr 1, 2019 at 11:08 AM Benjamin Morel <benjamin.mo...@gmail.com> wrote: > > Seeds could even be dangerous here, as these numbers are supposed to be > cryptographically secure. If you need a seedable PRNG for testing, just use > rand(). >
Not only it could be dangerous, it would beat the entire purpose of random_bytes()/random_int(). Just to clarify for readers not familiar with the topic: Seed-based RNGs are deterministic. deterministic === predictable predictable === not secure Whether you want to seed for testing purposes, or someone has beaten it into you to use random_*() instead of (mt_)rand() and now your code doesn't work the same way, you're likely blindly following best practices without consideration. Not everything is 100% testable and not every problem can have the same solution. If you need to generate secure tokens of some kind - use random_bytes(). If you need to generate unpredictable random numbers - use random_int(). Don't worry about testing either of those. If you need seed-based, reproducible outcomes - use mt_rand(), that's perfectly fine for e.g. re-creating the same "random" map layout in a video game - a valid use case; but it's not for security. Cheers, Andrey. -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
