Revision as of 07:14, 22 August 2025 edit YannickFran (talk \| contribs) Extended confirmed users 2,642 edits →Release history ← Previous edit		Revision as of 13:09, 22 August 2025 edit undo 172.56.178.232 (talk) →Cryptographic security: Red goes outside the code Tags: Mobile edit Mobile web edit Next edit →
Line 1,081: === Cryptographic security === PHP includes <code>rand()</code><ref>{{cite web \|title=PHP: Rand – Manual \|url=https://php.net/rand}}</ref> and <code>mt_rand()</code> <ref>{{cite web \|title=PHP: Mt_rand - Manual \|url=https://php.net/mt_rand}}</ref>~~</code>~~ functions which use a [[pseudorandom number generator]], and are not cryptographically secure. As of version 8.1, the <code>random_int()</code> function is included, which uses a cryptographically secure source of randomness provided by the system.<ref>{{cite web \| url=https://php.net/random_int \| title=PHP: Random_int – Manual }}</ref> There are two attacks that can be performed over PHP entropy sources: "seed attack" and "state recovery attack".{{Citation needed\|date=November 2023}} As of 2012, a $250 [[Graphics processing unit\|GPU]] can perform up to 2{{sup\|30}} [[MD5]] calculations per second, while a $750 GPU can perform four times as many calculations at the same time.<ref>{{Cite web\|url=https://www.usenix.org/conference/usenixsecurity12/technical-sessions/presentation/argyros\|title=I Forgot Your Password: Randomness Attacks Against PHP Applications\|website=usenix.org\|publisher=[[USENIX]]\|first1=George\|last1=Argyros\|first2=Aggelos\|last2=Kiayias\|date=10 August 2012\|access-date=19 April 2024}}</ref> In combination with a "[[birthday attack]]" this can lead to serious security vulnerabilities.{{Citation needed\|date=November 2023}}

PHP: Difference between revisions