Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:109973
Return-Path: <ben@benramsey.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 71438 invoked from network); 2 May 2020 20:39:15 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 2 May 2020 20:39:15 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id A047B180088
	for <internals@lists.php.net>; Sat,  2 May 2020 12:13:29 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,
	RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_NONE
	autolearn=no autolearn_force=no version=3.4.2
X-Spam-ASN: AS15169 209.85.128.0/17
X-Spam-Virus: No
X-Envelope-From: <ben@benramsey.com>
Received: from mail-qt1-f196.google.com (mail-qt1-f196.google.com [209.85.160.196])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Sat,  2 May 2020 12:13:29 -0700 (PDT)
Received: by mail-qt1-f196.google.com with SMTP id 71so10629357qtc.12
        for <internals@lists.php.net>; Sat, 02 May 2020 12:13:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=benramsey.com; s=google;
        h=from:message-id:mime-version:subject:date:in-reply-to:cc:to
         :references;
        bh=jJ8OrESSiA4VNmZtLDc4zlnAq3iTOpKyCKpaACC2q+o=;
        b=CATP9U0cDrNG5rvExh3oWDUIV7OaIq5dZm/ZQeewG6DTXnf+cOYKaO7lr4vNBFn20n
         S/4wu1yremGwOCnDlp5leMqGiFSTmO3zHqBJOJysdScAnSwXhLqvRmHKw72qrZ0XUrFs
         uWhLFNZ+ZY8GK1r/mzfNb6FrQMwi8EPU6BHQWzoVSD4B4ZzTRBpZOyEZ8IOXyuogb7Cu
         EvDO7YFhCsAG3zqNEYY1eXKbSeyzrWuzaAx3bqEbhjWYZQ5nrxWZFRofvqfiHI0MtKqi
         p5dsIC/e/ey5wl8BuHlLZ7pvP+bRDD21UGW7f9P5UWJfIQoDASW6tZuiKEM86f2JW+oL
         iZEg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:message-id:mime-version:subject:date
         :in-reply-to:cc:to:references;
        bh=jJ8OrESSiA4VNmZtLDc4zlnAq3iTOpKyCKpaACC2q+o=;
        b=Ijz/jtZQqFbCUA9ycSQ8/bs94cLHo8EStnNFPD0m4eIF651C/P55lqMBmtTzXU871H
         FftdNK3rt6zWP+niNBCp/IBo+Xme0gc2F04w5FGEytykKPS+45T5SmQ/eSqSr1Ng2tV0
         4m8W04raR+t2+PA1RimXNqNoMXUbKeZyL3+bkQdqDH8Zni4A3pE8YoH+zz96xszR9ex1
         pp7+AbJneTXSlAfCZgLdap0UGSFpWY1uGx0/53NuTvkMHjJvBjoNRaImVaNquWMZmBx0
         SEwaNbKNr/HFkXKOAnuV2gGdNJWzmrkx57VfpuIzB63pGGGLLqv/U5S+l8mfzjPld5IP
         ZQTg==
X-Gm-Message-State: AGi0PuahwZljjaQT6/wRw3ORoc+FxdYwxPLxcZqIFscxDFwjdVC8qPjR
	WjIveVZg5wsiNRlaM9c8qDr4/g==
X-Google-Smtp-Source: APiQypIcBRCjk44yFEo5az4krZv6zrsCDtok73pydWbipv+pF9pOLorla5yy+5dkidcf1P7Jo9O7UQ==
X-Received: by 2002:ac8:2db9:: with SMTP id p54mr9626051qta.125.1588446808224;
        Sat, 02 May 2020 12:13:28 -0700 (PDT)
Received: from [10.10.42.56] (h96-61-170-50.lvrgtn.dsl.dynamic.tds.net. [96.61.170.50])
        by smtp.gmail.com with ESMTPSA id d123sm3625098qkb.28.2020.05.02.12.13.26
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Sat, 02 May 2020 12:13:27 -0700 (PDT)
Message-ID: <C4580849-BC5B-45CA-9B57-56CB63B3F8F0@benramsey.com>
Content-Type: multipart/signed;
	boundary="Apple-Mail=_F789607B-D32B-458B-85D1-B92613EA1495";
	protocol="application/pgp-signature";
	micalg=pgp-sha256
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.60.0.2.5\))
Date: Sat, 2 May 2020 14:13:25 -0500
In-Reply-To: <9e3b1604-8d0a-9db4-aab6-e5f2198252f4@allenjb.me.uk>
Cc: PHP Internals <internals@lists.php.net>
To: AllenJB <php.lists@allenjb.me.uk>
References: <9e3b1604-8d0a-9db4-aab6-e5f2198252f4@allenjb.me.uk>
X-Mailer: Apple Mail (2.3608.60.0.2.5)
Subject: Re: [PHP-DEV] Deprecating uniqid()
From: ben@benramsey.com (Ben Ramsey)

--Apple-Mail=_F789607B-D32B-458B-85D1-B92613EA1495
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=us-ascii

> On May 2, 2020, at 13:57, AllenJB <php.lists@allenjb.me.uk> wrote:
>=20
> Hi all,
>=20
> I'd like to discuss deprecating uniqid()
>=20
> I believe it's dangerously bad a doing "what it says on the tin". New =
developers still reach for it and do not read the warnings on the manual =
page (or if they do, don't fully understand how bad it is).
>=20
> For older codebases that still rely on it, a userland replacement can =
be easily implemented (and could be published on Packagist).
>=20
> I noticed there was an RFC [0][1] brought up 2 years ago, but was =
never voted on. Does anyone know why this was?
>=20
> [0] https://externals.io/message/102097
> [1] https://wiki.php.net/rfc/deprecate-uniqid
>=20
> Is there interest in deprecating this function?
>=20
> If not deprecation, how could it be (further) "improved"? My first =
thought is to make the "more entropy" option enabled by default (the =
argument could remain so that it can be disabled by codebases that rely =
on the lower length and can take the tradeoffs).


Instead of deprecating and removing it, would anyone be opposed to =
replacing the internals of the function so that it uses `random_bytes()` =
under the hood, while all other functionality remains the same?

Cheers,
Ben

--Apple-Mail=_F789607B-D32B-458B-85D1-B92613EA1495
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename=signature.asc
Content-Type: application/pgp-signature;
	name=signature.asc
Content-Description: Message signed with OpenPGP

-----BEGIN PGP SIGNATURE-----

iHUEAREIAB0WIQToXQMR3fpbrPOmEOewLZeYnIwHGwUCXq3GVQAKCRCwLZeYnIwH
G3m7AP9j7KHCVzHlT1ewEkCxutpG01DS5beMEqxD8o6kxQYXKwD+MsD48hDrwxvd
9mr2dqX4cO/M5z04HKUFCd0e7A4dqlU=
=ePRW
-----END PGP SIGNATURE-----

--Apple-Mail=_F789607B-D32B-458B-85D1-B92613EA1495--