Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:72022
Return-Path: <smalyshev@sugarcrm.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 36225 invoked from network); 2 Feb 2014 23:02:33 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 2 Feb 2014 23:02:33 -0000
Authentication-Results: pb1.pair.com smtp.mail=smalyshev@sugarcrm.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=smalyshev@sugarcrm.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain sugarcrm.com designates 108.166.43.107 as permitted sender)
X-PHP-List-Original-Sender: smalyshev@sugarcrm.com
X-Host-Fingerprint: 108.166.43.107 smtp107.ord1c.emailsrvr.com Linux 2.6
Received: from [108.166.43.107] ([108.166.43.107:52685] helo=smtp107.ord1c.emailsrvr.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 03/65-30967-88ECEE25 for <internals@lists.php.net>; Sun, 02 Feb 2014 18:02:32 -0500
Received: from localhost (localhost.localdomain [127.0.0.1])
	by smtp6.relay.ord1c.emailsrvr.com (SMTP Server) with ESMTP id 3EDE898938;
	Sun,  2 Feb 2014 18:02:30 -0500 (EST)
X-Virus-Scanned: OK
Received: by smtp6.relay.ord1c.emailsrvr.com (Authenticated sender: smalyshev-AT-sugarcrm.com) with ESMTPSA id D3B2E98937;
	Sun,  2 Feb 2014 18:02:29 -0500 (EST)
Message-ID: <52EECE85.6090904@sugarcrm.com>
Date: Sun, 02 Feb 2014 15:02:29 -0800
Organization: SugarCRM
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: Yasuo Ohgaki <yohgaki@ohgaki.net>
CC: "internals@lists.php.net" <internals@lists.php.net>
References: <CAGa2bXbq1ttBz+hSk20-CkKWvDdHr5+8bBmc04Q22i7K2VSs+A@mail.gmail.com> <52EE1EDC.2010309@sugarcrm.com> <CAGa2bXZZ3ug3oWg_im5bHUDjo2EHVeBMqU0fvB4WU-4OZTMCuw@mail.gmail.com>
In-Reply-To: <CAGa2bXZZ3ug3oWg_im5bHUDjo2EHVeBMqU0fvB4WU-4OZTMCuw@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] Extending uniqid() or not?
From: smalyshev@sugarcrm.com (Stas Malyshev)

Hi!

>  - it does not auto detect RNG and use /dev/random by default
>  - it does not support /dev/arandom
>  - it uses php_rand() to create random bytes if source option is not
> RANDOM or URANDOM
>  - it is not an available function by default...

It's available if you include the extension, which you should if you
need security. And any support options can be added. Creating entirely
new function because existing function does exactly the same but doesn't
support one option or one specific setting for one use case doesn't
sound right to me.

> Even though mcrypt_create_iv() good enough for it's original purpose,
> it's not good as 
> a general (fool proof) method for generating random bytes as it can
> block script execution.

If you use strict randomness function. If you use URANDOM, it would
never do it. All depends on your requirements.

> My question is if we should extend uniqid() or add new function that
> actually 
> generates safe ID string. We may add more description to uniqid() page,

How mcrypt_create_iv is not safe? It generates a random string, you need
a random string, what's unsafe in it?

-- 
Stanislav Malyshev, Software Architect
SugarCRM: http://www.sugarcrm.com/
(408)454-6900 ext. 227