Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:68603
Return-Path: <leight@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 95404 invoked from network); 22 Aug 2013 13:23:40 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 22 Aug 2013 13:23:40 -0000
Authentication-Results: pb1.pair.com smtp.mail=leight@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=leight@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 74.125.82.173 as permitted sender)
X-PHP-List-Original-Sender: leight@gmail.com
X-Host-Fingerprint: 74.125.82.173 mail-we0-f173.google.com  
Received: from [74.125.82.173] ([74.125.82.173:61497] helo=mail-we0-f173.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 9D/EE-11927-BD016125 for <internals@lists.php.net>; Thu, 22 Aug 2013 09:23:40 -0400
Received: by mail-we0-f173.google.com with SMTP id x54so1646971wes.4
        for <internals@lists.php.net>; Thu, 22 Aug 2013 06:23:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=K8s5eNHAGpwMTQXfzxTZGCIq2GTlmK7Iwjgm0muBWow=;
        b=miGkMXDFV9exYnYOoPmVZLNNl4a0UITAWczwGqovbgHvXeRBkMldK1Y2p5kmnnS4ed
         0bDwthROg/WWXfHdLE8tYA81Z0uhHn0tfRQENK4kL/9/BQedwG9PB75Anv5aFtKCIqMq
         bxj7/H8hcqoyKAjVNW43GsJeIpbc9g0RYBtCFMuLnvYA0dBBYunzHYNwLhYPDNpERE+T
         6cg7yTFxQfM3WJBsQ0AjMEOYZMtD1/i3SigPLRSEKfNDwLBqv4Mb52juNZvov1g94ZmW
         rMxaKD+9E/6YmXT9EINGbvsfWB4YsnTHHBA6G7nKUueL/bEQ63XvCy4u1GNrgHORxHY3
         m6PQ==
MIME-Version: 1.0
X-Received: by 10.194.120.225 with SMTP id lf1mr323257wjb.74.1377177816556;
 Thu, 22 Aug 2013 06:23:36 -0700 (PDT)
Received: by 10.216.182.193 with HTTP; Thu, 22 Aug 2013 06:23:36 -0700 (PDT)
In-Reply-To: <CALtuQzCX-tu7SjZDjM=fW26UXDWoLaKYyZVnX-6DFVj+x3ujyw@mail.gmail.com>
References: <CAGa2bXZPkeu0Ns_o2Q4Xe_XM8SqmD8hg9oyjOrbZFS0G1C5t2g@mail.gmail.com>
	<CALtuQzCX-tu7SjZDjM=fW26UXDWoLaKYyZVnX-6DFVj+x3ujyw@mail.gmail.com>
Date: Thu, 22 Aug 2013 14:23:36 +0100
Message-ID: <CAPwsocGU5ewAKE4cqX=BFQYqZ65=fAjKfVuQut8H2SDw76UAbg@mail.gmail.com>
To: Sebastian Krebs <krebs.seb@gmail.com>
Cc: Yasuo Ohgaki <yohgaki@ohgaki.net>, "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=089e01227b8e8c6a4c04e4893277
Subject: Re: [PHP-DEV] Request #65501 uniqid(): More entropy parameter should
 be true by default
From: leight@gmail.com (Leigh)

--089e01227b8e8c6a4c04e4893277
Content-Type: text/plain; charset=ISO-8859-1

On 22 August 2013 13:39, Sebastian Krebs <krebs.seb@gmail.com> wrote:

> Tbh I don't get the real problem with the _current_ behaviour. Who need the
> entropy, can set it as second parameter and I am not sure, if it is wise to
> use uniqid() for _security purposes_.
>

It's absolutely not wise to use it for anything security related, the
purpose of the function is simply to provide a unique value within a
system, not a random value, not an unpredictable value.

"more_entropy" in this case might as well be called "higher_resolution". As
Nikita already pointed out, without this flag set a usleep is performed to
force function calls to be at least 1 microsecond apart (since the id is
microtime based). All more_entropy does is add some additional random on
the end instead of the usleep so when uniqid is called multiple times
during the same microsecond, the values are still (probably) unique.

Making the function return a longer output by default is a BC break imo. As
already pointed out constrained DB fields will not accept the new default,
filenames generated using it will no longer conform to a set pattern, etc.
etc.

--089e01227b8e8c6a4c04e4893277--