Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:95819 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 41820 invoked from network); 9 Sep 2016 05:13:36 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 9 Sep 2016 05:13:36 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@ohgaki.net; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@ohgaki.net; sender-id=pass Received-SPF: pass (pb1.pair.com: domain ohgaki.net designates 180.42.98.130 as permitted sender) X-PHP-List-Original-Sender: yohgaki@ohgaki.net X-Host-Fingerprint: 180.42.98.130 ns1.es-i.jp Received: from [180.42.98.130] ([180.42.98.130:59953] helo=es-i.jp) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 5D/E9-61313-CF442D75 for ; Fri, 09 Sep 2016 01:13:35 -0400 Received: (qmail 88221 invoked by uid 89); 9 Sep 2016 05:13:28 -0000 Received: from unknown (HELO mail-qt0-f170.google.com) (yohgaki@ohgaki.net@209.85.216.170) by 0 with ESMTPA; 9 Sep 2016 05:13:28 -0000 Received: by mail-qt0-f170.google.com with SMTP id l91so17825694qte.3 for ; Thu, 08 Sep 2016 22:13:28 -0700 (PDT) X-Gm-Message-State: AE9vXwP5x/W6s1ifilDe2kuwGbuBf9AqV6dtQQBcZ2PWQqp1Ieead0Xf073jZ/rnTY10PdqVHWE6w9p4lKCPkw== X-Received: by 10.200.35.107 with SMTP id b40mr1880942qtb.38.1473398002559; Thu, 08 Sep 2016 22:13:22 -0700 (PDT) MIME-Version: 1.0 Received: by 10.140.84.168 with HTTP; Thu, 8 Sep 2016 22:12:42 -0700 (PDT) Date: Fri, 9 Sep 2016 14:12:42 +0900 X-Gmail-Original-Message-ID: Message-ID: To: "internals@lists.php.net" Content-Type: text/plain; charset=UTF-8 Subject: [RFC] Make uniqid() more unique From: yohgaki@ohgaki.net (Yasuo Ohgaki) Hi all, We all know, uniqid() is not unique at all and not safe as random ID at all. This would be one of the most misused function because of its name. https://github.com/php/php-src/blob/master/ext/standard/uniqid.c#L44 Bug report for this https://bugs.php.net/bug.php?id=55391 I would like to - Enable more entropy parameter on by default - Add 256 bits random value (64 chars by HEX) from php_random_bytes() instead of 1 char from php_combined_lcg() If all of us think "just fix it", then I'll just fix this in master w/o RFC. Any comments? Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net