Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:109986
Return-Path: <rowan.collins@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 75658 invoked from network); 4 May 2020 10:24:50 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 4 May 2020 10:24:50 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 5414E1804C9
	for <internals@lists.php.net>; Mon,  4 May 2020 01:59:27 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.2 required=5.0 tests=BAYES_20,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS
	autolearn=no autolearn_force=no version=3.4.2
X-Spam-ASN: AS15169 209.85.128.0/17
X-Spam-Virus: No
X-Envelope-From: <rowan.collins@gmail.com>
Received: from mail-il1-f181.google.com (mail-il1-f181.google.com [209.85.166.181])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Mon,  4 May 2020 01:59:26 -0700 (PDT)
Received: by mail-il1-f181.google.com with SMTP id s10so10493381iln.11
        for <internals@lists.php.net>; Mon, 04 May 2020 01:59:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to;
        bh=paDUcz+EwK92RZT33DHlWqwx+fvcKNuyB0OLG1e8/Ks=;
        b=ADrVKtJ+SCgWE/fY5rJFBDwiRZRx6bjV/7p+Cd79VzamU5U2G9ndgc3yOAP+Ua3IMM
         I5ySzhTxlfJMLuJqR000iGlR5eEJDzx+YS291p0CyM3wdeMF+VRH9rYEmluYpT/aX/iF
         tHIPZnl0zcGG8p5RKQ0tzyXGWkst1WlA5MVhjQj02H704OFgu1UWWetinKXtm7xDZzb8
         EuQBr3Rlojw4/rs6sDXUsMO8B7CU9oudVNsDpg9dHYqNoi+OP/IdAS0j4bHY22XRnF/q
         PtSAZbKEGW2wm5zdlJVIcxmNMtrxyEygIxIyYWqCDsvou6k7VU17GI0nsQL+hLACGtte
         F1cQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to;
        bh=paDUcz+EwK92RZT33DHlWqwx+fvcKNuyB0OLG1e8/Ks=;
        b=Ab2NzRRDMRO6NZdloMA7ghSsmt+QW9DZkNCk1KioK8AdFlErbP28cpNv3yF1yzLd7L
         hq/f7PW5nsdPIYTyRTEr+7MSGI3Ej56yJvKh6CtEgEo0Y4uh26Q9IaxXj2Q4+1glhEcq
         rOXOrZlcfNKkQlg4QcZZyzy6TR6xCoW+2pH3an5Nlp2SFkfJJX2yZg7uoYoh5Svb7DZW
         nN0DwsEQvIKLgzDxWIWbHPbJEPpxhioIq3/JBILBKgOYHdZHk1kKv4KnkxrFCHiX14Zx
         ksdSWPV5ul1EQ4LTYEUHfrRK6Xy+M6BSUNL7VZTBWwbvk/YRtOO11uuSA8QGFu8VkEX7
         EY5w==
X-Gm-Message-State: AGi0PuaDeV3osVIErpFDV+a5B4OoRltJb2r/hOr3RvE1n51yvFUrIJij
	n/QiniwzvgMwFdXcsQBYGBDo5ULXWHjCyOln83mKEQ==
X-Google-Smtp-Source: APiQypJZ7ZMSqMaNhzTswu3Z10wKs3Aoiswfec/Qm565nfP9l5Q+CGaUdi5aTwbMWsmBwLezlq4AM/jLyr4XbWsW3Dc=
X-Received: by 2002:a05:6e02:dcf:: with SMTP id l15mr15369208ilj.225.1588582762364;
 Mon, 04 May 2020 01:59:22 -0700 (PDT)
MIME-Version: 1.0
References: <9e3b1604-8d0a-9db4-aab6-e5f2198252f4@allenjb.me.uk>
 <C4580849-BC5B-45CA-9B57-56CB63B3F8F0@benramsey.com> <3a2924d2-31b9-fee5-5548-49c889eca2f4@heigl.org>
In-Reply-To: <3a2924d2-31b9-fee5-5548-49c889eca2f4@heigl.org>
Date: Mon, 4 May 2020 09:59:11 +0100
Message-ID: <CALKiJKoXfW2usFmHS2ev2ihe6i=SV5JQaMgQmHCi5-rqeEdOWw@mail.gmail.com>
To: PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="0000000000003f45b205a4cebf09"
Subject: Re: [PHP-DEV] Deprecating uniqid()
From: rowan.collins@gmail.com (Rowan Tommins)

--0000000000003f45b205a4cebf09
Content-Type: text/plain; charset="UTF-8"

On Mon, 4 May 2020 at 06:27, Andreas Heigl <andreas@heigl.org> wrote:

>
> As replacement I could think of showing people the way to UUIDs.
>


Although the name sounds similar, I don't think UUID would be a good
replacement for uniqid(). In my experience, it's used for things like
generating ID attributes for HTML elements, or suffixes for table names, or
even file names; applications that really just need a few alphanumeric
characters that are different each time.



> As the function itself was never intended for cryptographically secure
> values I would not see random_* functions or the like as a replacement.
>


Firstly, while everyone *should* understand the phrase "cryptographically
secure", I don't think most users do. Despite the warning in the manual, I
would put money on people using uniqid() for things that really should use
"strong" randomness.

Secondly, is there actually a *disadvantage* to using cryptographically
secure randomness when you don't need it? Speed? There's no advice in the
manual for random_int or random_bytes saying *not* to use them, and their
names seem deliberately chosen to imply they are the go-to functions for
randomness.

The only downside I can see suggesting something like random_string(13,
'0-9a-f') as a direct replacement for uniqid() is that without a time input
it might happen to generate the same string twice in a request. On the
other hand, uniqid actually disclaims any guarantee of uniqueness anyway.

Regards,
-- 
Rowan Tommins
[IMSoP]

--0000000000003f45b205a4cebf09--