Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:109975
Return-Path: <nikita.ppv@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 81056 invoked from network); 2 May 2020 21:24:17 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 2 May 2020 21:24:17 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 2A6081804E3
	for <internals@lists.php.net>; Sat,  2 May 2020 12:58:29 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,
	RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no
	autolearn_force=no version=3.4.2
X-Spam-ASN: AS15169 209.85.128.0/17
X-Spam-Virus: No
X-Envelope-From: <nikita.ppv@gmail.com>
Received: from mail-lf1-f53.google.com (mail-lf1-f53.google.com [209.85.167.53])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Sat,  2 May 2020 12:58:28 -0700 (PDT)
Received: by mail-lf1-f53.google.com with SMTP id 188so6412406lfa.10
        for <internals@lists.php.net>; Sat, 02 May 2020 12:58:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=LNJIUmupLNmclLtobzti+grgq/aNdVm1FiYHB8erP5o=;
        b=u9G6h7O4CSZ8RVz0J0p1SGDCIaUCvao/KpiHXQ7qLnyKhSs2YkUnr7+xGwmoOPsOEn
         GdetFUQU8wQXpNlK0Sj+uBNypSkqqF020lYTEwG+x1EZqqS/u0Yg0dv6Pg0mwIhYxfuy
         kaLEM8STQ1cvSog3ucJ0YGCg1QlglAJZhNTpPavUOTmmVUfGG9Pn2hDN3tDuOSSbV6r/
         yMNzX21rMJehtSG2NyLAge07Q0p3QLiKHeAQoG18HDRjoeocKdgm1nPqj95giO1fP7hT
         kHabBSZtQ0T6tsvOmNX+tnMepNZdn+odAwdZxkYfbQ67jtXzoceTPJTcTz9fHLsMRBCe
         +CfQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=LNJIUmupLNmclLtobzti+grgq/aNdVm1FiYHB8erP5o=;
        b=TcbdeCb3/HNbO62hli5ydwjklMkD2QZWCzr7zRhR6q0uq22xokHC4aEy97tSGMTK/F
         8zp0b1XX26hie4W+LDb+g46UEIoAzLiWUVK3kjqOhZdpzideYq+A7UqOaU0QujSfxxyK
         /kf9HJ0BC3R94JPbRsSnt2f8vIyxJdYT+thWGFu+dfZtHxxY630I2egsvXEz5rCCs3AC
         7VHuDFYYrHyOaLUUv26O98v7HHqisMzrzEdVTy6zdtOsO0k1NiemyPYzMggQ/yDz3lu2
         1lep15PDJUwQuSMVQsYUjd9Wt6C1HH74e61fIM/chvMgDGTadqRbvjPteI6ToazV0kzw
         xfMQ==
X-Gm-Message-State: AGi0PuZVdyC+/1SoWWYNMorAP0J72BpTl2PSkf2yCnciBwT4rJbqvnKI
	rxJ6sq909yK2Ixyi//yyXsMK7Mdpt0395/8l5Do=
X-Google-Smtp-Source: APiQypJenIOQL65tt4Nry1eM/iSR2xx0nDcCfmpS8Xi+ZsirDEG/NHsyYT2DrQ9AF+ZH4xzyEJirgtOpM3zXxFcIgRc=
X-Received: by 2002:a05:6512:10cd:: with SMTP id k13mr6476497lfg.173.1588449503730;
 Sat, 02 May 2020 12:58:23 -0700 (PDT)
MIME-Version: 1.0
References: <9e3b1604-8d0a-9db4-aab6-e5f2198252f4@allenjb.me.uk> <C4580849-BC5B-45CA-9B57-56CB63B3F8F0@benramsey.com>
In-Reply-To: <C4580849-BC5B-45CA-9B57-56CB63B3F8F0@benramsey.com>
Date: Sat, 2 May 2020 21:58:07 +0200
Message-ID: <CAF+90c-Uc1_F0Yy-kXvspCsLumAbOLfY-G_in3TTE288f=ZTrw@mail.gmail.com>
To: Ben Ramsey <ben@benramsey.com>
Cc: AllenJB <php.lists@allenjb.me.uk>, PHP Internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="00000000000069e0e405a4afb8e9"
Subject: Re: [PHP-DEV] Deprecating uniqid()
From: nikita.ppv@gmail.com (Nikita Popov)

--00000000000069e0e405a4afb8e9
Content-Type: text/plain; charset="UTF-8"

On Sat, May 2, 2020 at 9:13 PM Ben Ramsey <ben@benramsey.com> wrote:

> > On May 2, 2020, at 13:57, AllenJB <php.lists@allenjb.me.uk> wrote:
> >
> > Hi all,
> >
> > I'd like to discuss deprecating uniqid()
> >
> > I believe it's dangerously bad a doing "what it says on the tin". New
> developers still reach for it and do not read the warnings on the manual
> page (or if they do, don't fully understand how bad it is).
> >
> > For older codebases that still rely on it, a userland replacement can be
> easily implemented (and could be published on Packagist).
> >
> > I noticed there was an RFC [0][1] brought up 2 years ago, but was never
> voted on. Does anyone know why this was?
> >
> > [0] https://externals.io/message/102097
> > [1] https://wiki.php.net/rfc/deprecate-uniqid
> >
> > Is there interest in deprecating this function?
> >
> > If not deprecation, how could it be (further) "improved"? My first
> thought is to make the "more entropy" option enabled by default (the
> argument could remain so that it can be disabled by codebases that rely on
> the lower length and can take the tradeoffs).
>
>
> Instead of deprecating and removing it, would anyone be opposed to
> replacing the internals of the function so that it uses `random_bytes()`
> under the hood, while all other functionality remains the same?
>

I believe this has been discussed in the past, and the basic problem is
that uniqid() currently only returns 13 hex characters, so we can encode at
most 52 bits of entropy without changing the output format. This is
insufficient. Changing the format could break assumptions, such as database
column sizes.

Personally, I would be in favor of deprecating the function. I've run into
an issue caused by non-unique uniqid() somewhat recently myself as well.

Regards,
Nikita

--00000000000069e0e405a4afb8e9--