Using pseudorandom number generators (PRNGs) is security-sensitive. For example, it has led in the past to the following vulnerabilities:
When software generates predictable values in a context requiring unpredictability, it may be possible for an attacker to guess the next value that will be generated, and use this guess to impersonate another user or access sensitive information.
As the rand() and mt_rand() functions rely on a pseudorandom number generator, it should not be used for
security-critical applications or for protecting sensitive data.
There is a risk if you answered yes to any of those questions.
random_int() or random_bytes()
or openssl_random_pseudo_bytes() openssl_random_pseudo_bytes(), provide and check the crypto_strong parameter $random = rand(); $random2 = mt_rand(0, 99);
$randomInt = random_int(0,99); // Compliant; generates a cryptographically secure random integer