Let me begin this post by saying that almost no event is truly random. Even the outcome of a classic coin toss could in theory be predicted if we knew the effect of every factor involved, like air friction, gravity, and initial force.
The same thing is applicable to the generation of random numbers and alphanumeric strings. The best we can hope for is to generate numbers and strings that don't seem to follow a pattern and can't be practically predicted by an attacker.
In this tutorial, we will cover different techniques for generating random numbers and alphanumeric strings in php. Some of them will be cryptographically secure, while others are meant only for casual use, like assigning pseudo-random file names or creating URLs and suggesting usernames.
Generating Random Numbers in PHPThere are three different functions for generating random numbers in PHP. All of them will accept a minimum and maximum possible value for the random numbers and output a random number for you. These are rand($min, $max) , mt_rand($min, $max) , and random_int($min, $max) .
With rand() , the minimum and maximum values of integers you can generate lie between 0 and the value returned by getrandmax() . Before PHP 7.1.0, this function was about four times slower than mt_rand() . However, starting from PHP 7.1.0, it has been made an alias of mt_rand() . Unlike mt_rand() , though, you can set the value of $max to be lower than $min without causing an error.
With mt_rand() , the minimum and maximum values of integers you can generate lie between 0 and the value returned by mt_getrandmax() . It relies on an implementation of the Mersenne Twister to generate random numbers. Watch out, though―prior to PHP 7.1.0, this function implemented an incorrect version of the algorithm to generate the numbers. However, it has been fixed in newer versions.
The function became even better in PHP 7.2.0 by getting rid of a modulo bias bug. This means that for some particular seeds,your sequence of random numbers will now be slightly better compared to older versions. Some specialized code might actually rely on this bias, though. If so, you can use the older seed algorithm by calling the mt_srand() function to seed the random number generator and passing MT_RAND_PHP as the value of the second parameter.
The mt_rand() function has a period of 2 19937 1, which basically means that in best case scenarios you get as many as 2 19937 1 random numbers before the sequence starts repeating. You should note that repetition of a sequence is not the same as repetition of a particular number. In other words, you might get the same random number twice, but that does not mean that the sequence itself has started repeating. The following sequence is an example:
In the above sequence, we had 1267 twice in the output, but that does not mean that the whole sequence started repeating after that. It's unlikely to get the same number repeated so soon in a random sequence, but it is possible!
Cryptographically Secure Random IntegersIf you want cryptographically secure pseudo-random numbers, the random_int() function in PHP is your best bet. It will generate random numbers between the provided $min and $max values, which default to PHP_INT_MIN and PHP_INT_MAX . Unfortunately, this function is only available starting from PHP 7.0. For versions before that, you can use this polyfill on GitHub .
Random FloatsInstead of generating random integers, you might also want to generate floats. This can be done effortlessly by simply dividing a random number with a value returned by mt_getrandmax() . The following example will illustrate how to generate a random float between 0 and 1 or between any other minimum and maximum limits.
<?php// Output: 0.69458310943776
echo mt_rand(0, mt_getrandmax())/mt_getrandmax();
function mt_random_float($min, $max) {
$float_part = mt_rand(0, mt_getrandmax())/mt_getrandmax();
$integer_part = mt_rand($min, $max - 1);
return $integer_part + $float_part;
}
// Output: 10.199064863938
echo mt_random_float(10, 11);
// Output: 35.540808309121
echo mt_random_float(15, 50);
?>
When generating a random float between given limits, we make sure that the random integer numbers do not go above $max - 1 . This way, we can be sure that adding the float part will not take the number above the maximum limit.
Seeding the Random Number GeneratorsOne concept that needs a little bit of explanation is seeds. Put simply, these are just numbers that can be used to initialize the rand() and mt_rand() functions before generating any random numbers. The function which seeds rand() is called srand($seed) , and the function which seeds mt_rand() is called mt_srand($seed, $mode) .
It's important to remember that providing an initial seed value every single time before calling rand() and mt_rand() won't necessarily produce better random numbers. In fact, using the same seed each time will give you the same random number as well!
<?phpmt_srand(10);
// Output: 1656398468
echo mt_rand();
mt_srand(10);
// Output: 1656398468
echo mt_rand();
mt_srand(10);
// Output: 1656398468
echo mt_rand();
?>
Seeding a random number is useful in situations where you want to generate a random but reproducible sequence. The following code snippet generates the same sequence of random numbers when run twice.
<?phpmt_srand(10);
$count = 0;
while($count < 10) {
echo mt_rand(0, 100)." ";
$count++;
}
// Output on First Run:
// 68 58 68 13 3 48 30 37 96 82
// Output on Second Run:
// 68 58 68 13 3 48 30 37 96 82
Generating reproducible random sequences this way can help debug programs which were being tested using random data―if you keep track of the seed, you can reproduce the same input to figure out what went wrong.
Generating Random Alphanumeric Strings inPHPThere are many ways to generate random alphanumeric strings, and what you use will depend on your needs.
Generate Shuffled StringsIf you want to generate random alphanumeric strings from a fixed set of characters, you can use the str_shuffle($string) function. This function will provide you a randomly shuffled string. Starting from PHP 7.1, the algorithm which determines the random order of characters in the output string has been changed to the Mersenne Twister.
Remember that the random string generated this way is not cryptographically secure. However, the string will still be pretty unpredictable for common use like generating random file names or URLs. Here are a few examples:
<?php$permitted_chars = '0123456789abcdefghijklmnopqrstuvwxyz';
// Output: 54esmdr0qf
echo substr(str_shuffle($permitted_chars), 0, 10);
$permitted_chars = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
// Output: video-g6swmAP8X5VG4jCi.mp4
echo 'video-'.substr(str_sh
