Here is a reason why not to use rand().

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Re: Here is a reason why not to use rand().

Post by josh »

kaisellgren wrote:The $level-1 does not produce any bugs. It's there, because the value of $level is from 0 to 256, and since 256 is not a proper value it's decreased by one.
Youre basing the coordinates of each dot based on the dot that was drawn previous to it, therefore you're getting quite visual horizontal clustering that you cannot deny. The matter of fact though is any scatter plot is going to have observable patterns if the vector spaced is transformed to a high dimensional hyper space, using a dot product.. its just a matter of finding the right way to "project" the data to view the patterns, given enough time a machine will find a pattern with any data set, it might take longer then the universe will be around for, but it has been proven... These are called NP-Complete problems in computer science
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Here is a reason why not to use rand().

Post by kaisellgren »

jshpro2 wrote:
kaisellgren wrote:The $level-1 does not produce any bugs. It's there, because the value of $level is from 0 to 256, and since 256 is not a proper value it's decreased by one.
Youre basing the coordinates of each dot based on the dot that was drawn previous to it, therefore you're getting quite visual horizontal clustering that you cannot deny. The matter of fact though is any scatter plot is going to have observable patterns if the vector spaced is transformed to a high dimensional hyper space, using a dot product.. its just a matter of finding the right way to "project" the data to view the patterns, given enough time a machine will find a pattern with any data set, it might take longer then the universe will be around for, but it has been proven... These are called NP-Complete problems in computer science
rand() produces far lessen randoms than mt_rand(), how is that not clear to you?

We can of course customize our algorithm to produce less pattern-like pictures that works with rand(), but in the end mt_rand() beats rand() also in performance.

EDIT: Your demonstration also speaks for itself, the rand() produced pattern-like results also for you. There are no bugs. Too bad I don't do lotteries.
Last edited by kaisellgren on Tue Dec 30, 2008 6:19 pm, edited 1 time in total.
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Re: Here is a reason why not to use rand().

Post by josh »

kaisellgren wrote:rand() produces far lessen randoms than mt_rand(), how is that not clear to you?
Your code has a bug, how is that not clear to you?
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Here is a reason why not to use rand().

Post by kaisellgren »

jshpro2 wrote:
kaisellgren wrote:rand() produces far lessen randoms than mt_rand(), how is that not clear to you?
Your code has a bug, how is that not clear to you?
Then yours have one too. :lol:

Whether you make buggy scripts or not, mt_rand() always 'performs better' in terms of entropy. I can also proof this with numbers instead of images.
Last edited by kaisellgren on Tue Dec 30, 2008 6:26 pm, edited 1 time in total.
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Re: Here is a reason why not to use rand().

Post by josh »

Nope, no bugs. Also, I already agreed with you rand() is more predictable by both humans and machines. "Less random" isn't a quantifiable concept though.
Mark Cunningham
Forum Newbie
Posts: 4
Joined: Tue Dec 30, 2008 6:02 pm
Location: UK

Re: Here is a reason why not to use rand().

Post by Mark Cunningham »

The first picture looks very much like an array of random numbers and you are just looping the initial random numbers several times rand() is random and ive never seen a pattern although I could be wrong
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Re: Here is a reason why not to use rand().

Post by josh »

kaisellgren wrote:The $level-1 does not produce any bugs. It's there, because the value of $level is from 0 to 256, and since 256 is not a proper value it's decreased by one. -1 seems to be a proper value, it's same as 0.
But youre passing it for the x, and y.. not the color...
Mark Cunningham wrote: ive never seen a pattern although I could be wrong
See my image, there is a pattern but not as predictable as kaisellgren would lead you to believe..
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Here is a reason why not to use rand().

Post by kaisellgren »

jshpro2 wrote:Nope, no bugs. Also, I already agreed with you rand() is more predictable by both humans and machines. "Less random" isn't a quantifiable concept though.
Well that's why I have used the quotation marks. You know, I use English 1% of the day, so I am not really familiar with the right terms in this language. Do you happen to know Swedish, Estonian or Finnish, I could explain this better.

And by the way, I don't follow what you are trying to say with that bug? How does it affect anything. Regardless of bugs or perfect code, the pictures are always more pattern-like in rand(). Or are you trying to say rand() makes even more pattern-like pictures when my script is buggy?
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Here is a reason why not to use rand().

Post by kaisellgren »

jshpro2 wrote:
kaisellgren wrote:The $level-1 does not produce any bugs. It's there, because the value of $level is from 0 to 256, and since 256 is not a proper value it's decreased by one. -1 seems to be a proper value, it's same as 0.
But youre passing it for the x, and y.. not the color...
Mark Cunningham wrote: ive never seen a pattern although I could be wrong
See my image, there is a pattern but not as predictable as kaisellgren would lead you to believe..
Sorry for double post.

The images in the first post were both made with the same algorithm. I only added mt_ in front of rand() function. And look how much it differs. The reason why my script produces more patterns is due to the nature of repetitive random. Read the source code of rand(), and you will realise that's not the best thing rand() can cope with. I tried to make the picture for rand() more pattern-like on purpose. So I exploited it. But it's still fair comparison.

I am not passing $level to x and y.
Last edited by kaisellgren on Tue Dec 30, 2008 6:32 pm, edited 1 time in total.
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Re: Here is a reason why not to use rand().

Post by josh »

Sorry for the miscommunications, no harsh feelings Im just saying, your program isnt doing what you lead us to beleive, in my last post I lied, you are grabbing it for the color, but since youre looping over every dot your script is very mis-leading. Just compare your image to my rand image.

See the problem is this line:
$level = $mpa[0];

Since you do $level += later, by a truly random # there is "randomness" to the image, but your colors all share a common denominator, the value of $mpa[0], which means your script is not commutative, the effects of the $mpa[0] constant are transitive, thats the bug.
Last edited by josh on Tue Dec 30, 2008 6:34 pm, edited 1 time in total.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Here is a reason why not to use rand().

Post by kaisellgren »

jshpro2 wrote:Sorry for the miscommunications, no harsh feelings Im just saying, your program isnt doing what you lead us to beleive, in my last post I lied, you are grabbing it for the color, but since youre looping over every dot your script is very mis-leading. Just compare your image to my rand image.
Well maybe it's very unclear. I'll try to clear things up a bit in the first post...
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Re: Here is a reason why not to use rand().

Post by josh »

Edited my post while you were posting ^^^ posted more helpful constructive comments :-D Sorry for all the noise. You have shown why mt_rand is more "secure" though, despite the bug the end result looks waay more random _with_ the bug, which says bounds more then the intention you had when you originally wrote the post. So the moral is mt_rand is more tolerant to programmer error.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Here is a reason why not to use rand().

Post by kaisellgren »

jshpro2 wrote:Sorry for the miscommunications, no harsh feelings Im just saying, your program isnt doing what you lead us to beleive, in my last post I lied, you are grabbing it for the color, but since youre looping over every dot your script is very mis-leading. Just compare your image to my rand image.

See the problem is this line:
$level = $mpa[0];

Since you do $level += later, by a truly random # there is "randomness" to the image, but your colors all share a common denominator, the value of $mpa[0], which means your script is not commutative, the effects of the $mpa[0] constant are transitive, thats the bug.
Ok. First of all, whether I made a bug or not -- we can still see how much better mt_rand() performs. Can't we?

I'm doing *= not +=, that's because serious repetition of random is the achilles of rand(). That's why the picture appears so pattern-like for rand().

$mpa[0] is a random value from 0 to 2 in my pictures in the first post. Then I do *= with a value of 0 to 2 from the same random function. $mpa is always reinitiated. Basically what it does, is that it multiplies all array elements with each other. I couldn't find a premade PHP array function to do this so I ended searching for one and made that quickly.

EDIT: Funny we are arguing about two crap functions, because even mt_rand() is not capable of producing good entropies. Especially in older PHP versions, where the ladder bit is dropped off due to a bug.
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Re: Here is a reason why not to use rand().

Post by josh »

kaisellgren wrote:EDIT: Funny we are arguing about two crap functions, because even mt_rand() is not capable of producing good entropies. Especially in older PHP versions, where the ladder bit is dropped off due to a bug.
Thats why I raised the issue of it being a philosophical debate, does a human determine his environment, or do the laws of physics determine what the human will do, is consciousness an "illusion", a by product of the brain function, is that voice in your head, your "cognition" really you or just noise, delayed 1 or 2 seconds behind the thinking process? Hahaha

I still hold my statement mt_rand is less predictable than rand by current computers or humans, randomness is an illusion though, it'd be like trying to write a program that can find gold at the end of a rainbow.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Here is a reason why not to use rand().

Post by kaisellgren »

jshpro2 wrote:
kaisellgren wrote:EDIT: Funny we are arguing about two crap functions, because even mt_rand() is not capable of producing good entropies. Especially in older PHP versions, where the ladder bit is dropped off due to a bug.
I still hold my statement mt_rand is less predictable than rand by current computers or humans, randomness is an illusion though, it'd be like trying to write a program that can find gold at the end of a rainbow.
For sure I second to that statement of yours.

In the end, there is no such thing as random. I can't know that, neither can you, but that's my opinion. There is no true random -- not even in the nature. When you wake up at 10:38 AM on your holiday, it's not because of random. When you get hit by a bus, it's not because of random. This is my inner world. I can not understand how something like random can exist in reality. It's just impossible. After all, everything is just one big chain reaction. But let's not discuss about philosophy or physics or anything else. Let's stay at PHP.

But now I really have to go to my bed, he has been waiting for me for a long time poor bed :cry: ... it's 3 AM in here right now...
Last edited by kaisellgren on Tue Dec 30, 2008 6:58 pm, edited 1 time in total.
Post Reply