Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:102108 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 78706 invoked from network); 11 May 2018 21:08:32 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 11 May 2018 21:08:32 -0000 Authentication-Results: pb1.pair.com smtp.mail=arvids.godjuks@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=arvids.godjuks@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.220.196 as permitted sender) X-PHP-List-Original-Sender: arvids.godjuks@gmail.com X-Host-Fingerprint: 209.85.220.196 mail-qk0-f196.google.com Received: from [209.85.220.196] ([209.85.220.196:40160] helo=mail-qk0-f196.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id B1/70-47313-D4606FA5 for ; Fri, 11 May 2018 17:08:30 -0400 Received: by mail-qk0-f196.google.com with SMTP id s83-v6so365026qke.7 for ; Fri, 11 May 2018 14:08:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=3nLpTKe+eNCmvXnXFv5kLGO8Pvm7cg9eyA1vbPChJMI=; b=S/ERb4xOSpaQKLhFeUDeluzkjmfYFkmatFm8R4cpR7yY2xyGxq9so7HD6z1iXVT6hi 49Fd71YO5EF6xOxdhN3LrHk82Aw0Quca5a22hrBAHonr8vYnZy4GqZomA0G+v5tF/V/4 2silKsza3coaT5Ofa7OEDPeaqJShl1HOz88Vg/7EZJ+mURefrrN7pTSjRghjK7s+Zc5I uZ5GTXaUyr/R30bs5zAoUV594RcaXNU1gDz4nH2uleositw4ABp+84hQGJXUUBtzt+0B 8zNjaPMWw7D/MhbMbeqv/p4BlKkqwDstWz2N4RmflzkYCnJYOlIuBH2ippGMANJdkCLN sEGg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=3nLpTKe+eNCmvXnXFv5kLGO8Pvm7cg9eyA1vbPChJMI=; b=VtQZe6ZPb/Aoq29jVM0lGf5wM5eGg7yo7CZWgrxLKqzb9ppOBDPSwKbXqfCMoc4tmX zcCxX1g5iY1COkFNYMXe6OE09xftvMvIVYdLSlWWETz6r2MRr/H5pbhy+5R2T9ufe16O OwJTQQWMQSNU6nmb41Xxm2miwEXOz28Y2diS4rzAGv6jz6rtIkdd6kY1K70H2GdGPPOy +G8VzIPmxn5uCX0rUq5e9boAcPfNQ8k12k6nAJQDmbPw3UMsuOGq+5WSiY4XUXdKreNo c8nW7GmDkvbN32aVJ4J160vKglUaYzCqdVeTvyBe5l/Lbzr0DHgl14NO6Mg/2YhnQEt3 lf/Q== X-Gm-Message-State: ALKqPwcyvhEtSZ/JSq3LqRq1iYmOkOB9cAyB+qgQj8GuckzmiRRGmXNB hgAzFJp8rGEyz6655ZxbgAdjEF93KcAyE1Ixnrw= X-Google-Smtp-Source: AB8JxZqZ4F+N8TPNBYuOTJjXpyuLxQ8Pd6/7l8ZNr438UvksI3oPA6N2kZGWX7zfPrewHFPnRBVGnlvn9+qJDwQna8M= X-Received: by 2002:a37:1f44:: with SMTP id f65-v6mr6216767qkf.423.1526071114575; Fri, 11 May 2018 13:38:34 -0700 (PDT) MIME-Version: 1.0 Received: by 10.12.241.20 with HTTP; Fri, 11 May 2018 13:38:04 -0700 (PDT) In-Reply-To: References: Date: Fri, 11 May 2018 22:38:04 +0200 Message-ID: To: Alice Wonder Cc: PHP internals Content-Type: multipart/alternative; boundary="000000000000afb326056bf41e32" Subject: Re: [PHP-DEV] [RFC] Deprecation of uniqid() From: arvids.godjuks@gmail.com (Arvids Godjuks) --000000000000afb326056bf41e32 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable 2018-05-11 17:19 GMT+02:00 Alice Wonder : > On 05/11/2018 05:34 AM, Alice Wonder wrote: > >> On 05/11/2018 05:10 AM, Alice Wonder wrote: >> >>> On 05/11/2018 03:50 AM, Arvids Godjuks wrote: >>> >>>> 2018-05-11 12:36 GMT+02:00 Alice Wonder : >>>> >>>> On 05/11/2018 01:59 AM, Arvids Godjuks wrote: >>>>> >>>>> 2018-05-10 16:33 GMT+02:00 Niklas Keller : >>>>>> >>>>>> Hey, >>>>>> >>>>>>> >>>>>>> I hereby propose to deprecate uniqid(). There have been attempts to >>>>>>> fix >>>>>>> it >>>>>>> ( >>>>>>> https://wiki.php.net/rfc/uniqid), but those were rejected during >>>>>>> discussion, because there's no possible fix without breaking BC. >>>>>>> Instead >>>>>>> of >>>>>>> a subtle BC break, this RFC favors the deprecation and moving >>>>>>> users to >>>>>>> other functions. >>>>>>> >>>>>>> It's to be discussed whether the function should be removed with >>>>>>> PHP 8.0 >>>>>>> or >>>>>>> just deprecated to avoid fully breaking things where it's not >>>>>>> strictly >>>>>>> necessary. A deprecation will probably avoid most new usages, >>>>>>> which is >>>>>>> the >>>>>>> main goal. >>>>>>> >>>>>>> RFC: https://wiki.php.net/rfc/deprecate-uniqid >>>>>>> >>>>>>> Kind Regards, >>>>>>> Niklas >>>>>>> >>>>>>> -- >>>>>>> PHP Internals - PHP Runtime Development Mailing List >>>>>>> To unsubscribe, visit: http://www.php.net/unsub.php >>>>>>> >>>>>>> >>>>>>> Hello, >>>>>>> >>>>>> >>>>>> as a userland user of this function I do disagree with it's outright >>>>>> removal. It has it's uses. >>>>>> What can be done with it is drop the $more_entropy flag and make it >>>>>> generate at least as long strings and use random_bytes under the >>>>>> hood for >>>>>> a >>>>>> better random. >>>>>> It can also adopt a length parameter so you can vary the random >>>>>> part as >>>>>> much as you need it. >>>>>> >>>>>> You don't always need a truly random token - I have a system that us= es >>>>>> uniqid to generate tens of thousands tokens per request and it's >>>>>> actually >>>>>> a >>>>>> good thing they are time based at the start of it with a random >>>>>> part at >>>>>> the >>>>>> end (as I said the random part should be improved and get rid of tha= t >>>>>> stupid dot when generating with $more_entropy =3D true). >>>>>> >>>>>> >>>>>> It seems to me that for your use case, you could just use the time() >>>>> function to get part of your unique id and then use libsodium to >>>>> generated >>>>> a nonce for the "random" part, using sodium's function for increment >>>>> the >>>>> nonce between each use. >>>>> >>>>> Predictable, sure, but your use case says they don't need to be a tru= ly >>>>> random token - just unique (essentially a non-random nonce) but with >>>>> a time >>>>> component. >>>>> >>>>> >>>>> -- >>>>> PHP Internals - PHP Runtime Development Mailing List >>>>> To unsubscribe, visit: http://www.php.net/unsub.php >>>>> >>>>> >>>>> Hello Alice, >>>> >>>> Sure, there is lots I can do about that project, including what you ha= ve >>>> described. One thing though - client does not need it or want it or >>>> want's >>>> to pay for that work. That whole project is a poster child for a "side >>>> project on a bare minimum, but done by a competent developer instead >>>> of a >>>> student so it actually works in the long run" >>>> >>>> >>> Tell the client they can use this for free. >>> >>> function compat_uniqid(string $prefix=3D'', bool $more_entropy =3D fals= e) >>> { >>> static $nonce =3D null; >>> if(is_null($nonce)) { >>> $nonce =3D random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES); >>> } >>> $m =3D microtime(true); >>> $return =3D sprintf("%8x%05x",floor($m),($m-floor($m))*1000000); >>> if($more_entropy) { >>> sodium_increment($nonce); >>> $x =3D hexdec(substr(bin2hex($nonce),0,8)); >>> $x =3D str_pad($x, 12, "0", STR_PAD_LEFT); >>> $return =3D $return . substr($x, 0, 1) . '.' . substr($x, -8); >>> } >>> return $prefix . $return; >>> } >>> >>> >> slightly better if block >> >> if($more_entropy) { >> sodium_increment($nonce); >> $x =3D hexdec(substr(bin2hex($nonce),0,12)); >> $return =3D $return . substr($x, 2, 1) . '.' . substr($x, -8); >> } >> >> Obvious patterns in the "more entropy" but the output in only suppose to >> be unique, not random. >> >> > If you don't need the output to be exact same format, this avoids > collisions and is faster. > > function cryptoUniqid(string $prefix =3D '', bool $prng =3D false): strin= g > { > static $nonce =3D null; > if($prng || is_null($nonce)) { > $nonce =3D random_bytes(16); > } else { > sodium_increment($nonce); > } > $m =3D microtime(true); > $return =3D sprintf("%8x%05x", floor($m), ($m-floor($m))*1000000); > $return =3D $return . '.' . base64_encode($nonce); > return $prefix . $return; > > } > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > > Thank you for all the advice Alice :) --=20 Arv=C4=ABds Godjuks +371 26 851 664 arvids.godjuks@gmail.com Skype: psihius Telegram: @psihius https://t.me/psihius --000000000000afb326056bf41e32--