Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:109976
Return-Path: <aliveandshocked@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 31521 invoked from network); 3 May 2020 10:20:47 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 3 May 2020 10:20:47 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 738FB1804DD
	for <internals@lists.php.net>; Sun,  3 May 2020 01:55:10 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-1.4 required=5.0 tests=BAYES_00,
	FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS
	autolearn=no autolearn_force=no version=3.4.2
X-Spam-ASN: AS15169 209.85.128.0/17
X-Spam-Virus: No
X-Envelope-From: <aliveandshocked@gmail.com>
Received: from mail-wm1-f66.google.com (mail-wm1-f66.google.com [209.85.128.66])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Sun,  3 May 2020 01:55:09 -0700 (PDT)
Received: by mail-wm1-f66.google.com with SMTP id x25so4911601wmc.0
        for <internals@lists.php.net>; Sun, 03 May 2020 01:55:09 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to;
        bh=kSMDnLy0QB12eNtNhDmh9lFpHq4fGqRNLJe0lxH7mgQ=;
        b=VfbO6orRuA6ccQ/KYTb6q3aKLGRKUR4cuGeVBFx1u7w47Qv2Wxmvm14cLFy2DVU5hM
         FFU1QfFBATZNcfrHaKdN0jwJQl58b7VeMQrtQczPu5R5KMi6pyGr2QipRH8sVQFrBZcF
         QXSCIssg5QFmfPCQC1s7xPtZTmQupetucGOtLV1XDNFQV9qtincoFqVbKqE/Y4L6dNV1
         m30D6BRVg0SabcuB15Re/eWOIjXxqCV5P5UDxXXugsUVYpyNlz2753nnyt4CUkdcuKJT
         cz6jtclItl+G/MUxfiq5btiZjRnK7Y5UTWUhAtwIQlq3FDMsXS1gqAwy7jO6AyzaiyBU
         m8Sw==
X-Gm-Message-State: AGi0PuaMnTjsJiuZbvf8heVN+E/7uXaj8EqmaQRx1oTEk4EJ9b7SB0OX
	bGdEe5pSr4vSIWz8xCAPx6vQr9dZ5u7MCsh/wUB473zS
X-Google-Smtp-Source: APiQypLVKxgRBpDTI9rtF0vOFQGOFlm0wYr9q++FFsLMTQOaLx13eKWiH+WWKne7eZXiH8E3Qyt5AYB9hU1suXefAHE=
X-Received: by 2002:a1c:bc05:: with SMTP id m5mr7911447wmf.143.1588496106172;
 Sun, 03 May 2020 01:55:06 -0700 (PDT)
MIME-Version: 1.0
References: <9e3b1604-8d0a-9db4-aab6-e5f2198252f4@allenjb.me.uk>
 <C4580849-BC5B-45CA-9B57-56CB63B3F8F0@benramsey.com> <CAF+90c-Uc1_F0Yy-kXvspCsLumAbOLfY-G_in3TTE288f=ZTrw@mail.gmail.com>
In-Reply-To: <CAF+90c-Uc1_F0Yy-kXvspCsLumAbOLfY-G_in3TTE288f=ZTrw@mail.gmail.com>
Date: Sun, 3 May 2020 10:54:54 +0200
Message-ID: <CAJmjfvXUtWE1r9+PxDnRFkbFXgBG=KpRCcfzAyd3N7P3vYB2=w@mail.gmail.com>
To: php internals <internals@lists.php.net>
Content-Type: text/plain; charset="UTF-8"
Subject: Re: [PHP-DEV] Deprecating uniqid()
From: jakob@givoni.dk (Jakob Givoni)

On Sat, May 2, 2020 at 9:58 PM Nikita Popov <nikita.ppv@gmail.com> wrote:
>
> On Sat, May 2, 2020 at 9:13 PM Ben Ramsey <ben@benramsey.com> wrote:
>
> > > On May 2, 2020, at 13:57, AllenJB <php.lists@allenjb.me.uk> wrote:
> > >
> > > Hi all,
> > >
> > > I'd like to discuss deprecating uniqid()
> > >
> > > I believe it's dangerously bad a doing "what it says on the tin". New
> > developers still reach for it and do not read the warnings on the manual
> > page (or if they do, don't fully understand how bad it is).
> > >
> > > For older codebases that still rely on it, a userland replacement can be
> > easily implemented (and could be published on Packagist).
> > >
> > > I noticed there was an RFC [0][1] brought up 2 years ago, but was never
> > voted on. Does anyone know why this was?
> > >
> > > [0] https://externals.io/message/102097
> > > [1] https://wiki.php.net/rfc/deprecate-uniqid
> > >
> > > Is there interest in deprecating this function?
> > >
> > > If not deprecation, how could it be (further) "improved"? My first
> > thought is to make the "more entropy" option enabled by default (the
> > argument could remain so that it can be disabled by codebases that rely on
> > the lower length and can take the tradeoffs).
> >
> >
> > Instead of deprecating and removing it, would anyone be opposed to
> > replacing the internals of the function so that it uses `random_bytes()`
> > under the hood, while all other functionality remains the same?
> >
>
> I believe this has been discussed in the past, and the basic problem is
> that uniqid() currently only returns 13 hex characters, so we can encode at
> most 52 bits of entropy without changing the output format. This is
> insufficient. Changing the format could break assumptions, such as database
> column sizes.
>
> Personally, I would be in favor of deprecating the function. I've run into
> an issue caused by non-unique uniqid() somewhat recently myself as well.
>
> Regards,
> Nikita

I'm using this function frequently, but I am ok with deprecating it as
I think the name is dangerously misleading - basically, anything that
mentions "unique" without saying to what, is a misnomer.
However, as it's useful to have a function in core that gives you a
random string with a fixed length that is unique within some
well-defined boundaries, I'd like to be sure there is an easy
replacement for the function when the time comes to upgrade php.
Ideally something that is guaranteed to be unique within the current
php process and takes the same arguments as uniqid.

Best,
Jakob