Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:109997
Return-Path: <me@kelunik.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 12050 invoked from network); 5 May 2020 08:03:00 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 5 May 2020 08:03:00 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 5346C1804B4
	for <internals@lists.php.net>; Mon,  4 May 2020 23:37:51 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,RCVD_IN_DNSWL_LOW,
	SPF_HELO_PASS,SPF_NONE autolearn=no autolearn_force=no version=3.4.2
X-Spam-ASN: AS6724 81.169.144.0/22
X-Spam-Virus: No
X-Envelope-From: <me@kelunik.com>
Received: from mo4-p00-ob.smtp.rzone.de (mo4-p00-ob.smtp.rzone.de [81.169.146.216])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Mon,  4 May 2020 23:37:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1588660667;
	s=strato-dkim-0002; d=kelunik.com;
	h=Cc:To:Subject:Message-ID:Date:From:In-Reply-To:References:
	X-RZG-CLASS-ID:X-RZG-AUTH:From:Subject:Sender;
	bh=HHFOKRmKVlWqhgw7l9irl1XJXUP4qm/hMSGrfo7OvwE=;
	b=pRdSnqrIU23s1+tvBqBkAFyuEyCc2+5l5bNM5N7rwusE74Q97HafFf3xETEbTvNHA8
	J/tFu/m+1YZFZuMxQaWjbfsr9FCF3a1HEBQIjcLLcGg6NV2qw1PXKcOpE1BUKjHZg819
	3Bx5KUSfutsGoRlGZCvBOfGIzTVFzk9psHLWFxXPyW+elyzN6sly8RBN7a38v0g9h1Dr
	AK0z5XJvhebcFwtKGfXgPp8NcP4u5B7LUwE/Z7aSQi/75pyR0aSGGNeZJvSYYfqPFG9D
	dtYTeDoPbQyGJPLqf96PfR25ZKxfxnqrk2JZu1svOtb/zh3ztWQqiSOz24iC3tLRes7G
	mZNQ==
X-RZG-AUTH: ":IWkkfkWkbvHsXQGmRYmUo9mlsGbEv0XHBzMIJSS+jKTzde5mDb8AaBEcYyZB"
X-RZG-CLASS-ID: mo00
Received: from mail-vs1-f41.google.com
	by smtp.strato.de (RZmta 46.6.2 AUTH)
	with ESMTPSA id C0794aw456blxCg
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256 bits))
	(Client did not present a certificate)
	for <internals@lists.php.net>;
	Tue, 5 May 2020 08:37:47 +0200 (CEST)
Received: by mail-vs1-f41.google.com with SMTP id z1so571280vsn.11
        for <internals@lists.php.net>; Mon, 04 May 2020 23:37:47 -0700 (PDT)
X-Gm-Message-State: AGi0PubMvqCyKzOv+fEd2qSQbHejXmmg07Cosecqh8NX71V7ZOcWtSCj
	mVCUSW4Dm06YX6OZPdzK/Sl4hFm3jJQgUgSMVD4=
X-Google-Smtp-Source: APiQypLQ0jNLuPl1DQuYYfn0uYJrGUoqxt4TePfwGBcm4P/IXjKw6qKbZo4CrdKFdDuKbT46CGLQmWqSe6CfHCXfcoQ=
X-Received: by 2002:a67:e98d:: with SMTP id b13mr1606256vso.55.1588660666358;
 Mon, 04 May 2020 23:37:46 -0700 (PDT)
MIME-Version: 1.0
References: <9e3b1604-8d0a-9db4-aab6-e5f2198252f4@allenjb.me.uk>
 <C4580849-BC5B-45CA-9B57-56CB63B3F8F0@benramsey.com> <3a2924d2-31b9-fee5-5548-49c889eca2f4@heigl.org>
 <CALKiJKoXfW2usFmHS2ev2ihe6i=SV5JQaMgQmHCi5-rqeEdOWw@mail.gmail.com>
In-Reply-To: <CALKiJKoXfW2usFmHS2ev2ihe6i=SV5JQaMgQmHCi5-rqeEdOWw@mail.gmail.com>
Date: Tue, 5 May 2020 08:37:33 +0200
X-Gmail-Original-Message-ID: <CANUQDCi3+fzy9E9kJ-vuDsTXMwNko9PpBUBAGUTxacdaQFPE5g@mail.gmail.com>
Message-ID: <CANUQDCi3+fzy9E9kJ-vuDsTXMwNko9PpBUBAGUTxacdaQFPE5g@mail.gmail.com>
To: Rowan Tommins <rowan.collins@gmail.com>
Cc: PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="000000000000afe06805a4e0e202"
Subject: Re: [PHP-DEV] Deprecating uniqid()
From: me@kelunik.com (Niklas Keller)

--000000000000afe06805a4e0e202
Content-Type: text/plain; charset="UTF-8"

Rowan Tommins <rowan.collins@gmail.com> schrieb am Mo., 4. Mai 2020, 10:59:

> On Mon, 4 May 2020 at 06:27, Andreas Heigl <andreas@heigl.org> wrote:
>
> >
> > As replacement I could think of showing people the way to UUIDs.
> >
>
>
> Although the name sounds similar, I don't think UUID would be a good
> replacement for uniqid(). In my experience, it's used for things like
> generating ID attributes for HTML elements, or suffixes for table names, or
> even file names; applications that really just need a few alphanumeric
> characters that are different each time.
>

Seems like UUIDs would be a good fit for all of these.

>
> > As the function itself was never intended for cryptographically secure
> > values I would not see random_* functions or the like as a replacement.
> >
>
>
> Firstly, while everyone *should* understand the phrase "cryptographically
> secure", I don't think most users do. Despite the warning in the manual, I
> would put money on people using uniqid() for things that really should use
> "strong" randomness.
>
> Secondly, is there actually a *disadvantage* to using cryptographically
> secure randomness when you don't need it? Speed? There's no advice in the
> manual for random_int or random_bytes saying *not* to use them, and their
> names seem deliberately chosen to imply they are the go-to functions for
> randomness.
>
> The only downside I can see suggesting something like random_string(13,
> '0-9a-f') as a direct replacement for uniqid() is that without a time input
> it might happen to generate the same string twice in a request. On the
> other hand, uniqid actually disclaims any guarantee of uniqueness anyway.
>

UUIDs have enough length to make collisions practically irrelevant, so
again, they seem to be the best replacement.

Best,
Niklas

Regards,
> --
> Rowan Tommins
> [IMSoP]
>

--000000000000afe06805a4e0e202--