At the PHP UK Conference Rasmus mentioned that he wants more people contributing to PHP. There are plenty of ways how you can do that.

Derick points out two more immediate ways you can help, one not even requiring any C knowledge:

• Help test the Release Candidates (like the current PHP 5.4.0 RC8) with a call to "make test" just after your compile.
• The recently added "random PHP bug" functionality that's been added to the bugs.php.net site

Computers cannot generate random numbers. A machine which works in ones and zeros is unable to magically invent its own stream of random data. However, computers can implement mathematical algorithms which produce pseudo-random numbers. They look like random numbers. They feel like random distributions. But they're fake; the same sequence of digits is generated if you run the algorithm twice.

Included in the post is code showing how to use the random functions and how to create a class (Random) that provides a few methods to help make generation easier - "seed" and "num". It first calls "seed" with a number to start the random generator off with and then "num" in a loop to pull out random values based on that.

When we talk about "random" numbers, we generally talk about two fundamental properties: Predictability and Bias. Both are closely related, but are subtly different. Predictability in reference to random numbers is the statistical problem of predicting the next value when knowing any number of previous values. Bias on the other hand is the statistical problem of predicting the next value when knowing the distribution of previous values.

He looks at how predictability can effect true random number generation and a common mistake in generation related to bias in the calculation method. He talks about some of the functions PHP includes to work with randomness, but notes that they all have their flaws. He points to the PHP-CryptLib package as a solution (adhering to the guidelines in RFC 4086 for randomness). He includes some sample code of how to use it to generate random numbers, tokens and sets of bytes. You can find the full source over on github.

Sometimes you just need some data to test and stress things. But randomly generated data is awful - it doesn't have realistic distributions, and it isn't easy to understand whether your results are meaningful and correct. Real or quasi-real data is best. Whether you're looking for a couple of megabytes or many terabytes, the following sources of data might help you benchmark and test under more realistic conditions.

The sample data sets vary from fake movie information to sample site traffic data to the large data sets that Amazon provides (including the Human Genome and US Census data). Some of the comments also link to other sources.

It is surprising to see how after all the code floating around people still find it hard to create random numbers. In a recent piece of code I encountered, the following was used to generate a string of random numbers. The code was written to provide a random string to be passed to a email verifier system - the type wherein a new user when he subscribes to a website needs to verify his email by clicking on a provided link.

He includes a snippet of the code that uses a call to str_shuffle on the set of numbers 1-10 to generate a random number. The only problem with the method is that, when the number gets large enough, PHP would automatically kick it into exponential format - not exactly ideal for an email link. Let this serve as a reminder for any scripts you might make that are similar.

Seclists.org has posted an advisory titled "Weak RNG in PHP session ID generation leads to session hijacking." RNG stands for Random Number Generation, and the advisory is warning that not enough entropy is being used to seed the RNG; this, in turn, can lead to a reduced number of possible session IDs under certain specific conditions, thus making brute force session spoofing easier, if not bringing it into the realm of feasibility.

The threat is only marked at a "medium" level of severity, but it could still cause problems if you're not careful. There are specific conditions that have to be in place for it to be a problem including using the standard PHP session generation and that the app shares the information about remote users. To protect yourself you can either install Suhosin and don't use the result of set an external source for entropy to help randomize the session ID even more.

One crucial part of PHP development practice is always keeping in mind that security is not something you can simply buy off the shelf at your local convenient store. Ensuring the security of your web applications is a process, which over time, needs to be constantly evaluated, monitored, and hardened.

He shows a few methods you can use to secure things - generating random values, making random passwords to give to your users, creating salted passwords, obfuscation and an overview of cryptography in PHP. Complete source code is included.

Whether it's session ids, passwords or tokens in general, in the world of web development the ability to generate random alpha-numeric strings is a necessity. In this article I present a few simple yet effective PHP functions that can be used to generate strong alpha, numeric and/or special character tokens and passwords.

He gives examples of generating tokens and generating passwords, each with a custom function which he explains and gives a usage example for.

As a follow up to my earlier article about fetching a single random row from MySQL I will tell you today, how you can fetch multiple random rows from a table without any hassle. Compared to the solution with fetching a single random row, fetching multiple random rows requires some tricks.

The tutorial walks you through the creation of some sample tables, making a simple trigger to keep a "random ID" column in a value range of one to the number of rows (gapless) and a bit of PHP code to select some IDs from the table and the SQL to get their information.

Be sure to check out the comments for mentions of the number of table reads and how optimized certain parts of the queries might be.

In this article, we will be looking at user authentication. User authentication simply means verifying that a particular user has the right to access a part of our application. Because our application deals with user preferences, access control is even more pertinent especially since multiple users are going to try to access this application at any given time.

As a part of this user validation and customization, they need to create a form that non-human scripts have a harder time using (hopefully weeding them out and getting better user information). The article steps you through a few lines of code that you can use to create a simple image of a four-digit number whose value is placed in a session variable so it can be validated on submission of the form.