Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:72068
Return-Path: <derick@php.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 29241 invoked from network); 3 Feb 2014 10:08:23 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 3 Feb 2014 10:08:23 -0000
Authentication-Results: pb1.pair.com smtp.mail=derick@php.net; spf=unknown; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=derick@php.net; sender-id=unknown
Received-SPF: unknown (pb1.pair.com: domain php.net does not designate 82.113.146.227 as permitted sender)
X-PHP-List-Original-Sender: derick@php.net
X-Host-Fingerprint: 82.113.146.227 xdebug.org Linux 2.6
Received: from [82.113.146.227] ([82.113.146.227:58854] helo=xdebug.org)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 52/62-18355-69A6FE25 for <internals@lists.php.net>; Mon, 03 Feb 2014 05:08:22 -0500
Received: from localhost (localhost [IPv6:::1])
	by xdebug.org (Postfix) with ESMTPS id DC90910D5C2;
	Mon,  3 Feb 2014 10:08:19 +0000 (GMT)
Date: Mon, 3 Feb 2014 10:08:19 +0000 (GMT)
X-X-Sender: derick@whisky.home.derickrethans.nl
To: Yasuo Ohgaki <yohgaki@ohgaki.net>
cc: "internals@lists.php.net" <internals@lists.php.net>
In-Reply-To: <CAGa2bXbq1ttBz+hSk20-CkKWvDdHr5+8bBmc04Q22i7K2VSs+A@mail.gmail.com>
Message-ID: <alpine.DEB.2.10.1402031006310.6067@whisky.home.derickrethans.nl>
References: <CAGa2bXbq1ttBz+hSk20-CkKWvDdHr5+8bBmc04Q22i7K2VSs+A@mail.gmail.com>
User-Agent: Alpine 2.10 (DEB 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Subject: Re: [PHP-DEV] Extending uniqid() or not?
From: derick@php.net (Derick Rethans)

On Sun, 2 Feb 2014, Yasuo Ohgaki wrote:

> Hi all,
> 
> uniqid() is producing unique ID for the system which is good for email's
> message ID etc. Many users are using uniqid() as secure unique ID which is
> very bad thing to do for security.
> 
> It may be extend to produce safe unique ID
> 
>  string uniqid(TRUE) - Returns random ID string which is safe to use
> security purposes.

I have always been of the opinion that function's internal workings 
should not be affected by an option like this. 

> My concern is that uniqid() return both safe and unsafe ID which may 
> not be good. We may better to have new function, perhaps
> 
>  string safe_uniqid([ing $length=64])

Yes, I agree - but we should not make the mistake of calling the 
function "safe_" ... firstly because it reminds me of "safe_mode", but 
more importantly is that *we* still can't guarantee it's safe. The 
underlaying RNG sources are not under out control. 

cheers,
Derick

-- 
http://derickrethans.nl | http://xdebug.org
Like Xdebug? Consider a donation: http://xdebug.org/donate.php
twitter: @derickr and @xdebug
Posted with an email client that doesn't mangle email: alpine