Use of random values is very important in the computer security field. It is crucial in computer programming for development of secure systems that are not vulnerable to malicious subversion. Cryptography relies on random value's generation and their reproducibility for unpredictable output that is core for security of any system. Random values are fundamental for secure coding practices and PHP highly makes use of them for security. You will find them used in all libraries and frameworks and almost all codes rely on them for the generation of tokens, salts and as inputs for further functions.

He talks about the important of good random numbers and some of the common uses for it including generating salts and unique identifiers. He mentions the "pseudorandomness" of PHP's generators and how they're seeded to help increase this randomness. He finishes up the tutorial with some suggestions and language features for creating "as random as possible" values like using "/dev/urandom" on Linux-based systems.

There are numerous articles on the web about how to properly use bcrypt in PHP. So this time, rather than write yet-another-how-to-use-bcrypt article, I'm going to focus on the mistakes that are commonly made when implementing bcrypt.

Here's the list of seven ways (each has its own description in the post):

• Using A Non-Random Salt
• Using An Incorrect Random Source for Salt Generation
• Using Too Weak Of A Cost Parameter
• Using The Wrong PHP Version
• Using The Wrong Prefix
• Not Checking For Errors
• Not Using A Library

He also includes two "bonus" things to consider: "Not Using A Timing Safe Comparison" and "Not Encoding The Salt Correctly".

At the PHP UK Conference Rasmus mentioned that he wants more people contributing to PHP. There are plenty of ways how you can do that.

Derick points out two more immediate ways you can help, one not even requiring any C knowledge:

• Help test the Release Candidates (like the current PHP 5.4.0 RC8) with a call to "make test" just after your compile.
• The recently added "random PHP bug" functionality that's been added to the bugs.php.net site

Computers cannot generate random numbers. A machine which works in ones and zeros is unable to magically invent its own stream of random data. However, computers can implement mathematical algorithms which produce pseudo-random numbers. They look like random numbers. They feel like random distributions. But they're fake; the same sequence of digits is generated if you run the algorithm twice.

Included in the post is code showing how to use the random functions and how to create a class (Random) that provides a few methods to help make generation easier - "seed" and "num". It first calls "seed" with a number to start the random generator off with and then "num" in a loop to pull out random values based on that.

When we talk about "random" numbers, we generally talk about two fundamental properties: Predictability and Bias. Both are closely related, but are subtly different. Predictability in reference to random numbers is the statistical problem of predicting the next value when knowing any number of previous values. Bias on the other hand is the statistical problem of predicting the next value when knowing the distribution of previous values.

He looks at how predictability can effect true random number generation and a common mistake in generation related to bias in the calculation method. He talks about some of the functions PHP includes to work with randomness, but notes that they all have their flaws. He points to the PHP-CryptLib package as a solution (adhering to the guidelines in RFC 4086 for randomness). He includes some sample code of how to use it to generate random numbers, tokens and sets of bytes. You can find the full source over on github.

Sometimes you just need some data to test and stress things. But randomly generated data is awful - it doesn't have realistic distributions, and it isn't easy to understand whether your results are meaningful and correct. Real or quasi-real data is best. Whether you're looking for a couple of megabytes or many terabytes, the following sources of data might help you benchmark and test under more realistic conditions.

The sample data sets vary from fake movie information to sample site traffic data to the large data sets that Amazon provides (including the Human Genome and US Census data). Some of the comments also link to other sources.

It is surprising to see how after all the code floating around people still find it hard to create random numbers. In a recent piece of code I encountered, the following was used to generate a string of random numbers. The code was written to provide a random string to be passed to a email verifier system - the type wherein a new user when he subscribes to a website needs to verify his email by clicking on a provided link.

He includes a snippet of the code that uses a call to str_shuffle on the set of numbers 1-10 to generate a random number. The only problem with the method is that, when the number gets large enough, PHP would automatically kick it into exponential format - not exactly ideal for an email link. Let this serve as a reminder for any scripts you might make that are similar.

Seclists.org has posted an advisory titled "Weak RNG in PHP session ID generation leads to session hijacking." RNG stands for Random Number Generation, and the advisory is warning that not enough entropy is being used to seed the RNG; this, in turn, can lead to a reduced number of possible session IDs under certain specific conditions, thus making brute force session spoofing easier, if not bringing it into the realm of feasibility.

The threat is only marked at a "medium" level of severity, but it could still cause problems if you're not careful. There are specific conditions that have to be in place for it to be a problem including using the standard PHP session generation and that the app shares the information about remote users. To protect yourself you can either install Suhosin and don't use the result of set an external source for entropy to help randomize the session ID even more.

One crucial part of PHP development practice is always keeping in mind that security is not something you can simply buy off the shelf at your local convenient store. Ensuring the security of your web applications is a process, which over time, needs to be constantly evaluated, monitored, and hardened.

He shows a few methods you can use to secure things - generating random values, making random passwords to give to your users, creating salted passwords, obfuscation and an overview of cryptography in PHP. Complete source code is included.

Whether it's session ids, passwords or tokens in general, in the world of web development the ability to generate random alpha-numeric strings is a necessity. In this article I present a few simple yet effective PHP functions that can be used to generate strong alpha, numeric and/or special character tokens and passwords.

He gives examples of generating tokens and generating passwords, each with a custom function which he explains and gives a usage example for.