Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upcoming deprecation of mt_rand() #6275

Open
poodle123 opened this issue Mar 25, 2024 · 3 comments
Open

Upcoming deprecation of mt_rand() #6275

poodle123 opened this issue Mar 25, 2024 · 3 comments

Comments

@poodle123
Copy link

In order to future-proof CI3 mt_rand() should be replaced with random_int(PHP_INT_MIN, PHP_INT_MAX) for PHP versions starting with 7.0.0.

This affects the following system files:

core\Common.php
core\Security.php
helpers\captcha_helper.php
helpers\form_helper.php
helpers\string_helper.php
libraties\Upload.php

If one doesnt need support for PHP lower than 7, then its just a simple replacement otherwise a check of the PHP version would be required.

mckaygerhard added a commit to codeigniterpower/codeigniterpower that referenced this issue Mar 25, 2024
* provide a workaround function in code/Common like is_php does
* closes bcit-ci/CodeIgniter#6275
* related to pocketarc/codeigniter#3 (comment)
mckaygerhard added a commit to venenux/codeigniterpower that referenced this issue Mar 25, 2024
* provide a workaround function in code/Common like is_php does
* closes bcit-ci/CodeIgniter#6275
* related to pocketarc/codeigniter#3 (comment)
mckaygerhard pushed a commit to venenux/codeigniterpower that referenced this issue Jun 12, 2024
* provide a workaround function in code/Common like is_php does
* closes bcit-ci/CodeIgniter#6275
* related to pocketarc/codeigniter#3 (comment)
@jamieburchell
Copy link
Contributor

@poodle123 I don't think the mt_rand function is deprecated? No mention of such here.

@kenjis
Copy link
Contributor

kenjis commented Jun 22, 2024

The feature in mt_rand() is deprecated.
https://www.php.net/manual/en/random.constants.php

And mt_rand() is not secure from the beginning:

Caution
This function does not generate cryptographically secure values, and must not be used for cryptographic purposes, or purposes that require returned values to be unguessable.
https://www.php.net/manual/en/function.mt-rand.php#refsect1-function.mt-rand-description

@jamieburchell
Copy link
Contributor

jamieburchell commented Jun 22, 2024

Sure, it shouldn't be used for generating cryptographically secure values. CI only uses it in that context as a poor-man's fallback in case all of the secure random bytes functions are unavailable. Arguably, that should result in an exception rather than a silent failure/fallback. If CI's random bytes function can't return a value, I don't think random_int would succeed either (and that throws an exception if it can't).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants