Ref T13222. Mostly, I need to generate SMS codes for MFA, e.g. 12345678.
I'm planning to use numeric codes for general consistency/user expectation, since most (all?) other SMS MFA systems I interact with regularly use numeric codes. (We could use alphanumeric codes instead fairly easily, but we'd probably want at least some handling for visually similar glyphs like: "i" vs "I" vs "l" vs "1" vs "|". readRandomCharacters() attempts to limit the fallout here but can still generate "i" and "o", which users might enter as "1" and "0", especially if we happen to send them a code like "635o29".)
PHP 7.2.0 and newer provider random_int() to do this. They also provide random_bytes(), which is approximately a builtin version of our readRandomBytes().
Expose random_int(), falling back to mt_rand() if it's not available (this should be fine for SMS MFA codes). Make readRandomBytes() use random_bytes() if available.