Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:71974
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 31156 invoked from network); 2 Feb 2014 04:33:06 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 2 Feb 2014 04:33:06 -0000
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.173 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.217.173 mail-lb0-f173.google.com  
Received: from [209.85.217.173] ([209.85.217.173:64808] helo=mail-lb0-f173.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 9E/92-30967-18ACDE25 for <internals@lists.php.net>; Sat, 01 Feb 2014 23:33:05 -0500
Received: by mail-lb0-f173.google.com with SMTP id y6so4559382lbh.32
        for <internals@lists.php.net>; Sat, 01 Feb 2014 20:33:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:from:date:message-id:subject:to:content-type;
        bh=JezKVBvUiLGMPeLQcs14E9oQk+TLfWO811FaorVhVD0=;
        b=FBQ7UXV16jQkasyMsUO3YcrNIo6csBVevODmQpdSmj63QX6GHrBZxyh+91+425pyid
         E8yCnV2I3OhzwNDmitWJyQrcsSixmDY7YG1AAR3eYIX2pepySNi1qjx6E1Xjn+B6+Cra
         YiJNm7+WqNyt4qW32p9BUe/uGTmNw7Kg701+NRLEBh/wBgAe7Ge8qnq0pgW55JA+uO+e
         GUSUzQt7ScKlP0UeZNIILVZe1mFjl7V6XpaLKzwW284zx+cDwTnQTmRWk3koe9AviDk6
         s3hdcuB2ZRrRptXWYhrL1KeJ4HlZ3cXFeqDrmuMVAOhIAC0uO/P79vK5tg9SyMUI3uv+
         kGRA==
X-Received: by 10.152.88.82 with SMTP id be18mr19949270lab.3.1391315581954;
 Sat, 01 Feb 2014 20:33:01 -0800 (PST)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.112.199.37 with HTTP; Sat, 1 Feb 2014 20:32:21 -0800 (PST)
Date: Sun, 2 Feb 2014 13:32:21 +0900
X-Google-Sender-Auth: YLJzyfdcediSp1Q0GSwL_o0_RoM
Message-ID: <CAGa2bXbq1ttBz+hSk20-CkKWvDdHr5+8bBmc04Q22i7K2VSs+A@mail.gmail.com>
To: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a11c3648608700b04f164e781
Subject: Extending uniqid() or not?
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--001a11c3648608700b04f164e781
Content-Type: text/plain; charset=UTF-8

Hi all,

uniqid() is producing unique ID for the system which is good for email's
message ID etc. Many users are using uniqid() as secure unique ID which is
very bad thing to do for security.

It may be extend to produce safe unique ID

 string uniqid(TRUE) - Returns random ID string which is safe to use
security purposes.

My concern is that uniqid() return both safe and unsafe ID which may not be
good. We may better to have new function, perhaps

 string safe_uniqid([ing $length=64])

It generate ID using good RNG such as /dev/urandom, /dev/arandom for
UNIXes, openssl RNG for Windows when they are available. It does not use
hash function, but simply convert RNG binary data into text. The same
algorithm that is used for session ID may be used. (Use
hash_bits_per_character=5, since it only contains alphanumeric chars) Since
it does not use hash, it's fast.

We might be better to use hash even if it's a little slow. This
implementation is affected by RNG vulnerabilities directly

The new function name could be anything,

Too many API is not good, but confusing API is not good also.

Any comments? Any good names?

Regards,


P.S. Is anyone working UUID? PostgreSQL is using OSSP's UUID lib, it's good
for PHP.
http://www.postgresql.org/docs/9.2/interactive/uuid-ossp.html

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--001a11c3648608700b04f164e781--