PHP RFC: Random migration

• Version: 0.1
• Date: 2022-12-22
• Author: Go Kudo, zeriyoshi@php.net
• Author: Tim Düsterhus, timwolla@php.net
• Status: Draft
• First Published at: http://wiki.php.net/rfc/random_migration

While random number generation in PHP has been improved by a series of Random Extension RFCs, the old insecure methods remain, and need to be migrated to a more appropriate and usable form.

We propose to deprecate some functions related to RNG in PHP 8.3 and to remove them in the next versions. For those functions for which no replacement is available, add a new one.

The functions to be deprecated, the reasons for their deprecation, and the functions to be replaced are as follows:

The following functions to deprecated:

• srand()　-> \Random\Randomizer
• mt_srand() -> \Random\Randomizer
• rand() -> random_int()
• mt_rand() -> random_int()

All of these functions have global scope issues described in the Random Extension RFC.

The rand() and mt_srand() functions can be used without performing explicit seeding, but the seed value used in this case is not reproducible because it uses random_int() internally. *1 In most cases, it is better to use random_int() directly. Also, srand() and mt_srand() are undesirable from a security standpoint because they use a low-quality linear congruence method to generate the seed value as a fallback *2 if a secure seed value cannot be generated.

If reproducibility is required, we should use \Random\Randomizer, which does not have the global scope issue.

1. https://github.com/php/php-src/blob/7f0b228f48ad29c13a84dc8c8bc050f34d3a855a/ext/random/engine_mt19937.c#L240
2. https://github.com/php/php-src/blob/f9a1a903805a0c260c97bcc8bf2c14f2dd76ca76/ext/random/php_random.h#L67

This function generates random floating point numbers between 0.0 and 1.0, but the algorithm used is the old linear congruence method and is of low quality.

There is no suitable replacement for this function. Therefore, the random_float() function is added. This function has the following signature:

function random_float(float $min = 0.0, float $max = 1.0, \Random\IntervalBoundary $intervalBoundary = \Random\IntervalBoundary::ClosedClosed): float {}

The following functions are deprecated and will be removed in the next version of PHP 8.3.

• srand()
• rand()
• mt_srand()
• mt_rand()

The following function names are no longer available:

• random_float()

PHP 8.3 and next version

none

ext-random

none

none

none

By eliminating rand() and mt_rand(), we lose the exception-free random number generation function. However, I do not believe such a situation can occur.

WIP