Editing PHP (section)

=== Cryptographic security ===
PHP includes <code>rand()</code><ref>{{cite web |title=PHP: Rand – Manual |url=https://php.net/rand}}</ref> and <code>mt_rand()<ref>{{cite web |title=PHP: Mt_rand - Manual |url=https://php.net/mt_rand}}</ref></code>functions which use a [[pseudorandom number generator]], and are not cryptographically secure. As of version 8.1, the <code>random_int()</code> function is included, which uses a cryptographically secure source of randomness provided by the system.<ref>{{cite web | url=https://php.net/random_int | title=PHP: Random_int – Manual }}</ref>

There are two attacks that can be performed over PHP entropy sources: "seed attack" and "state recovery attack".{{Citation needed|date=November 2023}} As of 2012, a $250 [[Graphics processing unit|GPU]] can perform up to 2{{sup|30}} [[MD5]] calculations per second, while a $750 GPU can perform four times as many calculations at the same time.<ref>{{Cite web|url=https://www.usenix.org/conference/usenixsecurity12/technical-sessions/presentation/argyros|title=I Forgot Your Password: Randomness Attacks Against PHP Applications|website=usenix.org|publisher=[[USENIX]]|first1=George|last1=Argyros|first2=Aggelos|last2=Kiayias|date=10 August 2012|access-date=19 April 2024}}</ref> In combination with a "[[birthday attack]]" this can lead to serious security vulnerabilities.{{Citation needed|date=November 2023}}