Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:72015
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 24986 invoked from network); 2 Feb 2014 22:09:31 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 2 Feb 2014 22:09:31 -0000
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.50 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.215.50 mail-la0-f50.google.com  
Received: from [209.85.215.50] ([209.85.215.50:47335] helo=mail-la0-f50.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 26/03-30967-912CEE25 for <internals@lists.php.net>; Sun, 02 Feb 2014 17:09:30 -0500
Received: by mail-la0-f50.google.com with SMTP id ec20so4872698lab.37
        for <internals@lists.php.net>; Sun, 02 Feb 2014 14:09:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type;
        bh=oM6iJUPF1NRPG7GKyRLIzbnjGAlsmPQ7q5uvftiZeFU=;
        b=oaIvwhlaEpGUeWPxGKiavD92DyeUFuW3C3iDH8OBPJfC6UWYNWUliQVCjh0kcz02qU
         N8zxx9HyHMPny6KJL0BMqS/aIM/QljBFnpcUaPuubwYFeln1nK5cwIbbUZ8E20MVz8mQ
         lb9Q1v+ePt3uFratgxuzWDHDH0z1JPpO8hPRNqFpHCmvvbnSdhMehQa9DbYgV0KJfFbj
         +1ukLNKJ3Zz0DckfxLpSyaz40Msa/JpbYnzpfrNAO4ZhhTgRXaNk2MVcgvHTaTtYgKTT
         25O4RvAZJn2C7Mp0yfZnmW6Yraf3teUxWfJteAYx7ElTxySIJz7xrw8oOSUxgsX4dQT4
         IwIA==
X-Received: by 10.152.28.200 with SMTP id d8mr85164lah.59.1391378966106; Sun,
 02 Feb 2014 14:09:26 -0800 (PST)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.112.199.37 with HTTP; Sun, 2 Feb 2014 14:08:45 -0800 (PST)
In-Reply-To: <52EE1EDC.2010309@sugarcrm.com>
References: <CAGa2bXbq1ttBz+hSk20-CkKWvDdHr5+8bBmc04Q22i7K2VSs+A@mail.gmail.com>
 <52EE1EDC.2010309@sugarcrm.com>
Date: Mon, 3 Feb 2014 07:08:45 +0900
X-Google-Sender-Auth: YomoMUmE2kZliDg_9EogU3QXnY8
Message-ID: <CAGa2bXZZ3ug3oWg_im5bHUDjo2EHVeBMqU0fvB4WU-4OZTMCuw@mail.gmail.com>
To: Stas Malyshev <smalyshev@sugarcrm.com>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=089e0158c7c805d69504f173a9d0
Subject: Re: [PHP-DEV] Extending uniqid() or not?
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--089e0158c7c805d69504f173a9d0
Content-Type: text/plain; charset=UTF-8

Hi Stas,

On Sun, Feb 2, 2014 at 7:33 PM, Stas Malyshev <smalyshev@sugarcrm.com>wrote:

> > It may be extend to produce safe unique ID
> >
> >  string uniqid(TRUE) - Returns random ID string which is safe to use
> > security purposes.
>
> What's wrong with mcrypt_create_iv() which exists specifically for the
> purpose of generating secure random string?
>

User may use it. IV should be random bytes and it can be used as
secure source for hash. I does almost the same thing that I would
like to do. Issues are

 - it does not auto detect RNG and use /dev/random by default
 - it does not support /dev/arandom
 - it uses php_rand() to create random bytes if source option is not RANDOM
or URANDOM
 - it is not an available function by default...

1st issue is not a issue actually. I think this is good that it uses
/dev/random by default
even if it may block script.  As a crypt module, it should use most secure
source by default. We may improve mcrypt_create_iv() a little by raising
E_NOTICE
error when user set source other than RANDOM or URANDOM, and add ARANDOM
as a source.

Even though mcrypt_create_iv() good enough for it's original purpose, it's
not good as
a general (fool proof) method for generating random bytes as it can block
script execution.

My question is if we should extend uniqid() or add new function that
actually
generates safe ID string. We may add more description to uniqid() page,
mcrypt and
openssl manual page. This is valid option also.

Do you prefer documentation rather than extending uniqid() or new function?


> > P.S. Is anyone working UUID? PostgreSQL is using OSSP's UUID lib, it's
> good
> > for PHP.
> > http://www.postgresql.org/docs/9.2/interactive/uuid-ossp.html
>
> There's uuid extension for PHP as far as I can see:
>
> http://ossp-uuid.sourcearchive.com/documentation/1.6.2-1ubuntu2/php_2uuid_8c_source.html


Thank you. I didn't know this.
It provides raw API to OSSP UUID. It's sufficient while it may be better
to provide more specific API like PostgreSQL. Like mcrypt and openssl,
it does not provide API that returns the result by single function call.
It would be better if it returns result (UUID string) by a function call.
I hope some one writes such module.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--089e0158c7c805d69504f173a9d0--