Stefan Esser points out a problem with the mt_rand and rand methods in PHP that makes them not quite random enough for cryptographic uses.

PHP comes with two random number generators named rand() and mt_rand(). The first is just a wrapper around the libc rand() function and the second one is an implementation of the Mersenne Twister pseudo random number generator. Both of these algorithms are seeded by a single 32 bit dword when they are first used in a process or one of the seeding functions srand() or mt_srand() is called.

He looks at how its currently implemented, some examples of bad methods to get "random" numbers, how shared resources are a problem and an example of a cross-application attack (the application in more than once place using the same method for getting random numbers).

In the comments he recommends either grabbing from /dev/random (if you're on a unix-based system) or making the creation of your numbers a bit more complex to include things the outside world wouldn't know.

On his blog, Jonathan Street has posted some "random thoughts" on generating random (or not so random) strings in PHP.

Humans are astoundingly bad at being random and I just slapped the keyboard a few times until I felt I had the required 16 characters. Writing some code to produce a fairly random string is incredibly easy. I've easily done it a dozen times or more. Though only because it is easier to re-write it than to find where I put the last one

He gives two examples that work, but aren't the best possibilities for making truly random strings - one using mt_rand to select a random character from a string and the other using the same idea but instead using the char() function to replace the string of characters.

His other examples include the use of the uniqid function with the more_entropy setting enabled and an md5 or sha1 hash (for which he gives positives and negtives).

Since there is no "magic variable" to get a value for Pi in an application, Tobias Schlitt offers up the next best thing - his homegrown solution for creating the value (using a randomized variation).

I don't know which is the most common way to calculate Pi in computer programs, but from the stochastics book a read for my recent stochastics exam, I have a randomized variation, which is quite cool I think.

The code example is included along with a bit of explanation for those not familiar with the concepts behind it. It uses two of PHP functions, pow() and mt_rand(), to run through a series of iterations and, using a preset precision value, find the "hits" to finally calculate the value at the end.