Some good things in there, but this stuck out to me:
PHP8 didn’t seize the opportunity to keep the momentum and to aliases rand and mt_rand to random_int
I hope they never do this; rand is aliased to mt_rand anyway, and mt_rand is useful for deterministic random number generation via seed setting. If these are aliased to random_int, then you’d have to break out something like Seedspring which is a lot of 3rd party code just to have a deterministic random number generator.
Don’t forget, the docs have this on both rand and mt_rand:
Caution This function does not generate cryptographically secure values, and should not be used for cryptographic purposes. If you need a cryptographically secure value, consider using random_int(), random_bytes(), or openssl_random_pseudo_bytes() instead.
While I would like it to not suggest openssl_random_pseudo_bytes, it still indicates to people that there’s other functions required to get CSPRNGs.
A lot of the code like rand is the way it is for a reason which web coders dont understand.
Undefined variables, as opposed to cinstants, are still not an error, meaning that things like solt instead of salt might (and will) go unnoticed.
Was “cinstants” a deliberate misspelling to demonstrate how easily typos slip into code?
That’s a very good article, thank you.
Members
Online