Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:124440 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by qa.php.net (Postfix) with ESMTPS id 94D771A00B7 for ; Mon, 15 Jul 2024 21:50:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1721080344; bh=dM/NZ2aJl3M07oX6v/9pMjAEOI3V9VDFsUprDZ73yZk=; h=Date:Subject:To:References:From:In-Reply-To:From; b=LGseWmzOxuBg7CQRb10ZFQAMCHCotD9hc/8w+ZNUawrd8pipQW/5fs4m1pH7mVgkU BKCMXe2mYOXxs5TdVqxxx0wW81EBUQrw8QgA9iyD/yYBSMIEszN1qMGcS++Yca0peP Deq34HYOazqRZ2ZVjkd7PwIp79WKazlAEOsXIYaZypbjJ+Y9ZLiw/y30b3yRcMv42p oCEp3yrUWmsdtwzfYATsD4UadCA/AL1Xai0fRl8M/M/4GsAK6kyWCMPe8CnZ7Yvxbr jllK9T9huwRB/n7drflI9DAcBY+oShhkUvOUjOgL5ejfpZxDVmTiv6Q5V6PrBqkWyO HEWpKzTHrGdAA== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id F1B361807A0 for ; Mon, 15 Jul 2024 21:52:23 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=0.6 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,SPF_HELO_NONE, SPF_PASS autolearn=no autolearn_force=no version=4.0.0 X-Spam-Virus: No X-Envelope-From: Received: from chrono.xqk7.com (chrono.xqk7.com [176.9.45.72]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Mon, 15 Jul 2024 21:52:23 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bastelstu.be; s=mail20171119; t=1721080253; bh=YpGULQD4nuiSATnynF56erbo4wKga8JD6UNZYlqw4ks=; h=Message-ID:Date:MIME-Version:Subject:To:References:From: In-Reply-To:Content-Type:from:to:cc:subject:message-id; b=QxkDe9IpD/pvHo4jZDPDFkIOV07BwklMpjgHRXk+jBQXEOPHiov0WBzRfpyv33rF3 PDjk8a02IrBK+e8CEer4Yrq/n6JYwak1P80/u17PS1TocYaay1wmuonzV5vaZuN5eQ L/HnyeB8R+z1mpMKeoAD9z/UUdlOCXxN7iaAnoQ+n+ZnfseQ/lrTzsyhpn0joux/SN rBcEtwbQTc5thXEEV+DH5lHYKzi81TIKmdxCUcDyXRpRQPENSMVqwa4/G49YqtjzTe fqcBVTeinxl6ttzFEkr4uE4lefilSZVWv4kuHboZsZ9KJIYSpnGlNqe9dQGcBiK8fJ 5Pqxq4dXVTQHA== Message-ID: <36c412df-7752-4554-af6b-d4696fbd2011@bastelstu.be> Date: Mon, 15 Jul 2024 23:50:52 +0200 Precedence: bulk list-help: list-post: List-Id: internals.lists.php.net MIME-Version: 1.0 Subject: Re: [PHP-DEV] [RFC] Deprecations for PHP 8.4 To: "Christoph M. Becker" , Juliette Reinders Folmer , internals@lists.php.net References: <6683CDE4.7050607@adviesenzo.nl> <668B5728.40300@adviesenzo.nl> <61cbb650-17d7-4dbf-a73b-8265d6af2d4f@gmx.de> Content-Language: en-US In-Reply-To: <61cbb650-17d7-4dbf-a73b-8265d6af2d4f@gmx.de> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit From: tim@bastelstu.be (=?UTF-8?Q?Tim_D=C3=BCsterhus?=) Hi On 7/15/24 15:56, Christoph M. Becker wrote: > I do not, however, agree with the reasoning that a function (like > uniqid()) is often used in a unsafe way (i.e. for purposes it has not > been designed), and therefore should be deprecated/removed. There are > likely a couple of developers who are easily rolling their own > implementation which can be way worse. I've seen "encryption" code That's effectively what's already being done, with complex, but meaningless, constructions such as `sha1(uniqid(microtime(true), true).rand())`. I probably did so myself in the past, back when I didn't know better and followed tutorials that also didn't know better. I agree that it helps no one if the cure is worse than the disease. That's why I strongly believe in misuse-resistant APIs: The secure choice should also be the default choice and also the easiest choice. The 'password_*' API is an great example for that. It has a few functions that do exactly what they say on the tine. You basically cannot use it incorrectly (except by not using it). The old procedural API to use randomness is not such an example [1]. The `uniqid()` function is the most obvious choice to generate a unique string and when using it, the output also looks "random". But in reality it does not guarantee that the output is unique or unguessable - making the function name a lie. It's almost always the wrong choice and I expect the type of developer that is able to use it safely to be able to write their own domain-specific formatter for the current time. All other users would be better suited by choosing something else, such as the `bin2hex(random_bytes(16))` construction that is supported since 7.0 and even longer with ParagonIE's polyfill [2]. Yes, it is not as terse as a call to `uniqid()`, but it is nicely explicit in what the output will look like and what the security properties are. > which was basically a Caesar cipher, spiced with some obsure function > calls to make it "even more safe". And I've seen obscure HTML escaping > code with an not so obvious back-door, that was once available as user > note on php.net. > > That doesn't mean that I'm against the uniqid() deprecation, especially > if the deprecation message is clear on what to use instead. I will make sure to write useful migration docs, helping users making an educated choice for an alternative. Unfortunately is no one-size-fits-all solution to the problem of generating an unique string. Best regards Tim Düsterhus [1] This includes uniqid(), rand(), mt_rand(), lcg_value(). random_bytes() and random_int() are fine. [2] https://github.com/paragonie/random_compat