Upcoming deprecation of mt_rand()

[poodle123]

In order to future-proof CI3 mt_rand() should be replaced with random_int(PHP_INT_MIN, PHP_INT_MAX) for PHP versions starting with 7.0.0.

This affects the following system files:

core\Common.php core\Security.php helpers\captcha_helper.php helpers\form_helper.php helpers\string_helper.php libraties\Upload.php

If one doesnt need support for PHP lower than 7, then its just a simple replacement otherwise a check of the PHP version would be required.

[jamieburchell]

@poodle123 I don't think the mt_rand function is deprecated? No mention of such here.

[kenjis]

The feature in mt_rand() is deprecated. https://www.php.net/manual/en/random.constants.php

And mt_rand() is not secure from the beginning:

Caution This function does not generate cryptographically secure values, and must not be used for cryptographic purposes, or purposes that require returned values to be unguessable. https://www.php.net/manual/en/function.mt-rand.php#refsect1-function.mt-rand-description

[jamieburchell]

Sure, it shouldn't be used for generating cryptographically secure values. CI only uses it in that context as a poor-man's fallback in case all of the secure random bytes functions are unavailable. Arguably, that should result in an exception rather than a silent failure/fallback. If CI's random bytes function can't return a value, I don't think random_int would succeed either (and that throws an exception if it can't).