Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:109974 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 74100 invoked from network); 2 May 2020 20:46:23 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 2 May 2020 20:46:23 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 547A01801FD for ; Sat, 2 May 2020 12:20:38 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS15169 209.85.128.0/17 X-Spam-Virus: No X-Envelope-From: Received: from mail-qk1-f196.google.com (mail-qk1-f196.google.com [209.85.222.196]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Sat, 2 May 2020 12:20:37 -0700 (PDT) Received: by mail-qk1-f196.google.com with SMTP id b188so12546438qkd.9 for ; Sat, 02 May 2020 12:20:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=benramsey.com; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=Egn/Tzownox0jeNwOCGe5o31oflzUuhUjUQz3YrR3LI=; b=SERIWbnYobwhi52ii4OoRF/jS5Rz0r64Y9y/zR2ZiVWyCFGdn6H7oxPNaHOJvKqmAi eTYvJon/CyGICXqS5rrMZThRhWXer0Qc4IWZFDi/z5hef7BkA2LPhomDSs8o5cx4qQgv Ul6BIBfLhxCrbeLMKBHVYi/GjYb0t3p4dqHQLpAaJn/jtmCYDW/djZvoFckIflA6eE60 Lw7hmNjnWfEUI5TfkdVLYgLDrX0kz6YM+iUnHvsu8q74hgFUYAEmEnyaSvzK/ApZE4oO 4nQ9jyT3TPYo2AZ69gWYJkg2Zv8QS1rbaSn6GzHUBx12OYn/J2OkOkO6Q0uOEtBOgbPB YZRA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=Egn/Tzownox0jeNwOCGe5o31oflzUuhUjUQz3YrR3LI=; b=OwknN3VqAL1hdutC9G0F3i8HWq0TlAR8EelVjMqFc3ATif08aa8wWRNVjJuAPWUVi2 0Tb3JfA9zmgJeeWZh39rz0RqSs2zDVjUuliQHaCon3Nt0LsinDXTWwQJ0/A1EGqqZKza iMFVlXpwarHtFzeAuJfLu2y1JtQXKYZn60MQSyC920Ba19CVOKPi1Zdw8NWSh88T5g9U wuJH6c7zt0XXjwvWZMP61KR/PX3ASKBuBbxiR4C+swsgPhUl51VJEfFOPM6wiGmPkvs6 yFuxtmaKR0PEifh6dKNx5mvKb57ODwRSiSHaM/o2HcwYCR1ib7iA5jBgnP74hhDNbhxg xezA== X-Gm-Message-State: AGi0PuZM7GUcsbpqrvzpk8sDvIOgCMaEvobn8Yv5FENtpT1EdMkXBbTa fSMwERSThgQ3cSlPZ0XJ2LyCCA== X-Google-Smtp-Source: APiQypJkwGEtDB2eYp72p276I+/UBphS4p6oO+4heS+M3eWdwflRVJy9RDWRv8lBvOWdcaiPyo3WSA== X-Received: by 2002:a05:620a:54b:: with SMTP id o11mr9531784qko.152.1588447237185; Sat, 02 May 2020 12:20:37 -0700 (PDT) Received: from [10.10.42.56] (h96-61-170-50.lvrgtn.dsl.dynamic.tds.net. [96.61.170.50]) by smtp.gmail.com with ESMTPSA id g2sm5754078qkm.0.2020.05.02.12.20.35 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sat, 02 May 2020 12:20:36 -0700 (PDT) Message-ID: <1004E13E-A005-4430-910D-B5430C492B58@benramsey.com> Content-Type: multipart/signed; boundary="Apple-Mail=_5BEC5B12-098C-4D02-B37B-5CA24604282F"; protocol="application/pgp-signature"; micalg=pgp-sha256 Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.60.0.2.5\)) Date: Sat, 2 May 2020 14:20:35 -0500 In-Reply-To: Cc: PHP Internals To: AllenJB References: <9e3b1604-8d0a-9db4-aab6-e5f2198252f4@allenjb.me.uk> X-Mailer: Apple Mail (2.3608.60.0.2.5) Subject: Re: [PHP-DEV] Deprecating uniqid() From: ben@benramsey.com (Ben Ramsey) --Apple-Mail=_5BEC5B12-098C-4D02-B37B-5CA24604282F Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On May 2, 2020, at 14:13, Ben Ramsey wrote: >=20 >> On May 2, 2020, at 13:57, AllenJB wrote: >>=20 >> Hi all, >>=20 >> I'd like to discuss deprecating uniqid() >>=20 >> I believe it's dangerously bad a doing "what it says on the tin". New = developers still reach for it and do not read the warnings on the manual = page (or if they do, don't fully understand how bad it is). >>=20 >> For older codebases that still rely on it, a userland replacement can = be easily implemented (and could be published on Packagist). >>=20 >> I noticed there was an RFC [0][1] brought up 2 years ago, but was = never voted on. Does anyone know why this was? >>=20 >> [0] https://externals.io/message/102097 >> [1] https://wiki.php.net/rfc/deprecate-uniqid >>=20 >> Is there interest in deprecating this function? >>=20 >> If not deprecation, how could it be (further) "improved"? My first = thought is to make the "more entropy" option enabled by default (the = argument could remain so that it can be disabled by codebases that rely = on the lower length and can take the tradeoffs). >=20 >=20 > Instead of deprecating and removing it, would anyone be opposed to = replacing the internals of the function so that it uses `random_bytes()` = under the hood, while all other functionality remains the same? Of course, if we did this, it would break anyone=E2=80=99s ability to do = this: date('r', hexdec(substr(uniqid(), 0, 8))); But I would argue that no one should be relying on these identifiers for = date/time purposes. Cheers, Ben --Apple-Mail=_5BEC5B12-098C-4D02-B37B-5CA24604282F Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iHUEAREIAB0WIQToXQMR3fpbrPOmEOewLZeYnIwHGwUCXq3IAwAKCRCwLZeYnIwH G/R/AP9UkgsdrJpd1kWp3VOlpkA5MIUFzP1rGLH2UY1Z+RjJ8wD/QGDAxaJWhHbs dUjl+35sGtP0qJ4poK0DIk/3HS9A6qA= =frim -----END PGP SIGNATURE----- --Apple-Mail=_5BEC5B12-098C-4D02-B37B-5CA24604282F--