Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:123821 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by qa.php.net (Postfix) with ESMTPS id 62A711A009C for ; Tue, 25 Jun 2024 15:49:38 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1719330655; bh=249Sk59111XNlzqFKo7VeHyPu3q4yZu7PEXX/6/2wY8=; h=Date:From:To:cc:Subject:In-Reply-To:References:From; b=ML4CdeAJJvNhcVlFUULOHFg9Cxuh+1BDD99oxKJJ2kpZxfmajNdNLSsuilHrKESfY Z8C1GfI2h4LruivP6F/bwzMIfykKVNYV+l5w0Z4F8BknWdYsOaWHNh1gFkd1pQCjfs lcFe36IUk+rcULQcE0wxhc4A6shV0jq1socNnQ6tduPntN7XhCAj5aDEH4fruGQIGs kdkmon2xNn+WwyzvO702Qm2ubvUU3iQ8sipbpSqugH59vrj1wOa+pBP9oDPol0PLy2 hwEg6myd2sS7iXzCFbERjYa1RY+QnUcw1xCS4nyfOrXe3gxRXlp3k/fjzpsxjHmK4j GyeDK1JupRdrg== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id B6D43180504 for ; Tue, 25 Jun 2024 15:50:54 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net X-Spam-Level: *** X-Spam-Status: No, score=3.6 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,SPF_HELO_PASS, SPF_SOFTFAIL,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=4.0.0 X-Spam-Virus: Error (Cannot connect to unix socket '/var/run/clamav/clamd.ctl': connect: Connection refused) X-Envelope-From: Received: from xdebug.org (xdebug.org [82.113.146.227]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Tue, 25 Jun 2024 15:50:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1719330576; bh=249Sk59111XNlzqFKo7VeHyPu3q4yZu7PEXX/6/2wY8=; h=Date:From:To:cc:Subject:In-Reply-To:References:From; b=BAl2rsuRy4LJ0Nt0lTTzCGW3nZam4+FaOF08R+/+OhpsVNo1ovh11qhHTW3AmswHw SisCW24J3V5OKK54N9Gcy9J/3h9verqOJhKShbw5kaeax3sSN57BGLWGte4BauEDhu +/uABlm6dCPWRhQMkuQOvMshEaRuirmiRDl3GcnCie4rUEfAPN0CIto6feZcvc6H1X WTexEKmi9hFBRAj3ImDF0UnZEcAKV0UnGm5gXZiZD33N9M5P7j1+I7mM4t9oqnHRDm /1pmM+R6MitYWQSqOu7/SOWuCv9FhapFFE0O3YjME0Uv7e4eOGOKr51eGYEN2WM/g3 WjayJoeub1l/w== Received: from localhost (localhost [IPv6:::1]) by xdebug.org (Postfix) with ESMTPS id 3D4BE10C49D; Tue, 25 Jun 2024 16:49:36 +0100 (BST) Date: Tue, 25 Jun 2024 16:49:36 +0100 (BST) To: Marco Pivetta cc: "Gina P. Banyard" , PHP internals , timwolla@php.net Subject: Re: [PHP-DEV] [RFC] Deprecations for PHP 8.4 In-Reply-To: Message-ID: References: Precedence: bulk list-help: list-post: List-Id: internals.lists.php.net MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII From: derick@php.net (Derick Rethans) Please, no top posting. On Tue, 25 Jun 2024, Marco Pivetta wrote: > I agree with most of these deprecations, except: > > * `uniqid()`, in my case (XKCD 1172) is largely used for quickly > generating a semi-random string for test purposes: a suitable replacement > PRNG implementation would be welcome. Even refactoring with tools like > Rector will lead to quite messy code, or added dependencies. IMO fine to > get rid of **this specific implementation**, if a safe function is > provided, such as `random_ascii_string()` or such (dunno, just a hint) > * `md5()`, `sha1()` - OK-ish with moving to `hash('', ...)`, but > while these are insecure for most use-cases, they are part of the domain of > many tools, including GIT itself. I can Rector my way out of it, just not > sure these should be hidden into `hash(...)` I agree on both points. These functions are indeed often used. The documentation for uniqid has some nice big warnings too. It can be used in situations, where it is OK. Replacing the algorithm underneath uniqid can (and perhaps should) be looked at. For the md5 and sha1 functions. Although these algorithms are not useful for "verifying the authenticity of a a payload", that doesn't mean they can't be used outside of that use case. I understand the reasons why you want to "nudge" people to no longer use these "unsafe" functions, but IMO, in this case, it's not worth the BC issues. cheers, Derick