Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:68604 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 98844 invoked from network); 22 Aug 2013 13:44:45 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 22 Aug 2013 13:44:45 -0000 Authentication-Results: pb1.pair.com header.from=krebs.seb@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=krebs.seb@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.212.174 as permitted sender) X-PHP-List-Original-Sender: krebs.seb@gmail.com X-Host-Fingerprint: 209.85.212.174 mail-wi0-f174.google.com Received: from [209.85.212.174] ([209.85.212.174:41095] helo=mail-wi0-f174.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 48/9F-11927-CC516125 for ; Thu, 22 Aug 2013 09:44:45 -0400 Received: by mail-wi0-f174.google.com with SMTP id j17so692002wiw.1 for ; Thu, 22 Aug 2013 06:44:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=95iomMWOkgSZacPTM3ijmIOcoXkpIf9e/6UaZUEIj8A=; b=HZ1LlYPoEH107TDMZWJ+Xj6SG3OlzbyKJibF9h9LiCP7psURPYZJbZbaLj0vkuXwE5 xE9KiwqPfN8qwUykarsYKmWQwQZUY9k20nn8LRBwhPTGpHbnVimWNkZdm3Qimrzsz1eF rcOJntFQ51+rkXD2l+SNI1tR7PiiTOe0SPuRRBYMLi4eOUCdffpnkUUyckhdCHc6fDsI QikzDzeHreExZDeSH4hHqeHrqU+7XSXDcodlTrQjSw6vkNJqD0CtPwor+St8cgMKktdV NmscMyRkk4oOOdbdYJcOGAaKFVoueDn9E2AgQp+Dql3FZhEdd4pm/XgzskfX20XVB5XH NhEQ== X-Received: by 10.194.176.74 with SMTP id cg10mr391380wjc.75.1377179081686; Thu, 22 Aug 2013 06:44:41 -0700 (PDT) MIME-Version: 1.0 Received: by 10.216.5.9 with HTTP; Thu, 22 Aug 2013 06:44:01 -0700 (PDT) In-Reply-To: References: Date: Thu, 22 Aug 2013 15:44:01 +0200 Message-ID: To: Leigh Cc: Yasuo Ohgaki , "internals@lists.php.net" Content-Type: multipart/alternative; boundary=089e01419e8cf4c33d04e4897d85 Subject: Re: [PHP-DEV] Request #65501 uniqid(): More entropy parameter should be true by default From: krebs.seb@gmail.com (Sebastian Krebs) --089e01419e8cf4c33d04e4897d85 Content-Type: text/plain; charset=ISO-8859-1 2013/8/22 Leigh > > On 22 August 2013 13:39, Sebastian Krebs wrote: > >> Tbh I don't get the real problem with the _current_ behaviour. Who need >> the >> entropy, can set it as second parameter and I am not sure, if it is wise >> to >> use uniqid() for _security purposes_. >> > > It's absolutely not wise to use it for anything security related, the > purpose of the function is simply to provide a unique value within a > system, not a random value, not an unpredictable value. > Thats what was my thought too, but the bugreport states > Without more entropy, uniqid() may produce non unique id even if the name states > it. This could be security issue under certain cases. > "more_entropy" in this case might as well be called "higher_resolution". > As Nikita already pointed out, without this flag set a usleep is performed > to force function calls to be at least 1 microsecond apart (since the id is > microtime based). All more_entropy does is add some additional random on > the end instead of the usleep so when uniqid is called multiple times > during the same microsecond, the values are still (probably) unique. > Wait ... With "more" it is _faster_?! (Havent read Nikitas mail so closely before...). Definitely something I should remember ^^ My trivial mind would assume, that the longer output would take more effort. > > Making the function return a longer output by default is a BC break imo. > As already pointed out constrained DB fields will not accept the new > default, filenames generated using it will no longer conform to a set > pattern, etc. etc. > Worth to mention: The longer output also contains a dot ".", which may lead to worse things with filenames ;) Regards, Sebastian -- github.com/KingCrunch --089e01419e8cf4c33d04e4897d85--