Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:68615
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 84477 invoked from network); 23 Aug 2013 22:15:41 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 23 Aug 2013 22:15:41 -0000
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.54 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.215.54 mail-la0-f54.google.com  
Received: from [209.85.215.54] ([209.85.215.54:54849] helo=mail-la0-f54.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id FC/D1-04818-B0FD7125 for <internals@lists.php.net>; Fri, 23 Aug 2013 18:15:40 -0400
Received: by mail-la0-f54.google.com with SMTP id ea20so927370lab.13
        for <internals@lists.php.net>; Fri, 23 Aug 2013 15:15:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type;
        bh=GaRCVpecFAPEJeU9nDcajqP44fFtBrobeg7Qs4R/1+U=;
        b=isG89aCNgfuhKmCGZsxGNtLx1NQtM+8sLgF9vI3tH3xPZj/hSWRnaKoZ/BEF9IZbts
         QlnbApxKJZrbZBwLLz/hXdR5CmcKeHhDt5IcCJIvCjsUtjEm2i4yZYo5NZfmGYqTxs0r
         Q3R5M/sXa6aGmFPSUAsn+X2qRFoNdIwTrIv8wxNJy/LdgSkcvl2ih3QJEY9aeuiKr7tV
         ADQ6bLtQE7Zj0+7bbUp6zT8Hj+muOxQi/3nGxpq/v6sqRZL2vz5qiyWDNnhxTm0TXzD6
         ITIfvD+MepD6SC/a8P5Oxs1YG8MAG2mCwsDQ+WQFXg/nuCPplZHQjwNooJU7zjcnO0oF
         jj3w==
X-Received: by 10.112.156.166 with SMTP id wf6mr821916lbb.13.1377296136088;
 Fri, 23 Aug 2013 15:15:36 -0700 (PDT)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.112.154.201 with HTTP; Fri, 23 Aug 2013 15:14:56 -0700 (PDT)
In-Reply-To: <CAAyV7nEh7YDQj1nMkSGpyfaSYxG+9YbGPuVFMY6geNR_XNs=9w@mail.gmail.com>
References: <CAGa2bXZPkeu0Ns_o2Q4Xe_XM8SqmD8hg9oyjOrbZFS0G1C5t2g@mail.gmail.com>
 <CALtuQzCX-tu7SjZDjM=fW26UXDWoLaKYyZVnX-6DFVj+x3ujyw@mail.gmail.com>
 <CAPwsocGU5ewAKE4cqX=BFQYqZ65=fAjKfVuQut8H2SDw76UAbg@mail.gmail.com>
 <CAGa2bXZgvanr6s2c-QECGuE3K1F9KKBVDA_sc_t=iR66d5So1g@mail.gmail.com> <CAAyV7nEh7YDQj1nMkSGpyfaSYxG+9YbGPuVFMY6geNR_XNs=9w@mail.gmail.com>
Date: Sat, 24 Aug 2013 07:14:56 +0900
X-Google-Sender-Auth: xPGcjllDeCzoOSilKGRwr-VGqk8
Message-ID: <CAGa2bXaUx4b+D-fvKcWCiZ+ZqqH4h6wN3a3LoOWuNMLGPUVFnw@mail.gmail.com>
To: Anthony Ferrara <ircmaxell@gmail.com>
Cc: Leigh <leight@gmail.com>, Sebastian Krebs <krebs.seb@gmail.com>, 
	"internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a11c18e7af1350904e4a4be33
Subject: Re: [PHP-DEV] Request #65501 uniqid(): More entropy parameter should
 be true by default
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--001a11c18e7af1350904e4a4be33
Content-Type: text/plain; charset=UTF-8

Hi Anthony,

On Fri, Aug 23, 2013 at 11:12 PM, Anthony Ferrara <ircmaxell@gmail.com>wrote:

> > It's absolutely not wise to use it for anything security related, the
>> > purpose of the function is simply to provide a unique value within a
>> > system, not a random value, not an unpredictable value.
>> >
>>
>> I agree.
>>
>> However, I suppose there are many applications that rely on uniqid() for
>> critical features like payment or authentication.
>>
>
> Sure, and people use `eval()` for conditionals and `goto` for code
> structure.
>
> We shouldn't alter language design for people making bad decisions.
> Instead, we should work on documentation and education to fix those kinds
> of problems.
>

We definitely should do this. I agree.


>
>
>> We need better function as basic feature of PHP. unique_hash() or
>> hash_unique() might be good. UUID works and is much better but generating
>> unique hash just like session ID is trivial to implement.
>>
>
> What would this do? How would it work? Would it just be a statistically
> unique hash? At which point why have it named on `hash` instead of just
> being a large random number (and hence belongs as a random number
> generator, not a unique hash thingy)...
>

Right. It would be statistically unique hash just like session ID without
strict session mode.
(Strict session detects collision, so it ensures uniqueness)

Current session module uses /dev/urandom (or like in UNIX like environment)
or crypt library
for windows. We have been relied statistically unique session ID until now,
since it's not too bad.

hash_unique() would be much safer than uniqid().  We should still educate
users that values are
statistically unique values. Unlike session, collision detection is up to
users since it's impossible
to maintain generated hash values.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--001a11c18e7af1350904e4a4be33--