Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:95824
Return-Path: <yohgaki@ohgaki.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 76806 invoked from network); 9 Sep 2016 08:00:18 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 9 Sep 2016 08:00:18 -0000
Authentication-Results: pb1.pair.com header.from=yohgaki@ohgaki.net; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@ohgaki.net; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain ohgaki.net designates 180.42.98.130 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@ohgaki.net
X-Host-Fingerprint: 180.42.98.130 ns1.es-i.jp  
Received: from [180.42.98.130] ([180.42.98.130:60123] helo=es-i.jp)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id CA/EB-61313-80C62D75 for <internals@lists.php.net>; Fri, 09 Sep 2016 04:00:11 -0400
Received: (qmail 95671 invoked by uid 89); 9 Sep 2016 08:00:02 -0000
Received: from unknown (HELO mail-qt0-f180.google.com) (yohgaki@ohgaki.net@209.85.216.180)
  by 0 with ESMTPA; 9 Sep 2016 08:00:02 -0000
Received: by mail-qt0-f180.google.com with SMTP id 11so36636986qtc.0
        for <internals@lists.php.net>; Fri, 09 Sep 2016 01:00:02 -0700 (PDT)
X-Gm-Message-State: AE9vXwPE/3p6ziB+e7qkchIX/RbL2Y8r1wF7DGwFHuCitQRrQuqjZvrNMuMZJPlpMb+NcsgeZMB4Jb1lS3OK4Q==
X-Received: by 10.237.53.157 with SMTP id c29mr2332979qte.75.1473407996995;
 Fri, 09 Sep 2016 00:59:56 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.140.84.168 with HTTP; Fri, 9 Sep 2016 00:59:16 -0700 (PDT)
In-Reply-To: <CANUQDCgcmLozTs4xcTTXfqd_UZC9oEKubmr_iZfYLwBcg3sxfQ@mail.gmail.com>
References: <CAGa2bXaM8q0mwhkz+XL6jbBaVLHDZ_-Jfj0aOPUq+te=fV=wow@mail.gmail.com>
 <CANUQDCgcmLozTs4xcTTXfqd_UZC9oEKubmr_iZfYLwBcg3sxfQ@mail.gmail.com>
Date: Fri, 9 Sep 2016 16:59:16 +0900
X-Gmail-Original-Message-ID: <CAGa2bXY3qyhkMJxVAsZgF-+-cxYrpaTvMDYiEVhk_QBfT1Keew@mail.gmail.com>
Message-ID: <CAGa2bXY3qyhkMJxVAsZgF-+-cxYrpaTvMDYiEVhk_QBfT1Keew@mail.gmail.com>
To: Niklas Keller <me@kelunik.com>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Subject: Re: [PHP-DEV] [RFC] Make uniqid() more unique
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

Hi Niklas,

On Fri, Sep 9, 2016 at 4:40 PM, Niklas Keller <me@kelunik.com> wrote:
> 2016-09-09 7:12 GMT+02:00 Yasuo Ohgaki <yohgaki@ohgaki.net>:
>>
>> Hi all,
>>
>> We all know, uniqid() is not unique at all and not safe as random ID
>> at all. This would be one of the most misused function because of its
>> name.
>>
>> https://github.com/php/php-src/blob/master/ext/standard/uniqid.c#L44
>>
>> Bug report for this
>> https://bugs.php.net/bug.php?id=55391
>>
>> I would like to
>>  - Enable more entropy parameter on by default
>>  - Add 256 bits random value (64 chars by HEX) from
>>    php_random_bytes()  instead of 1 char from php_combined_lcg()
>>
>> If all of us think "just fix it", then I'll just fix this in master w/o
>> RFC.
>
>
> I think it's better to leave it as is and deprecate and discourage its use.
> There's already a big warning there. Dunno whether there are really valid
> use cases for it.

That's what I thought at first.
It seems misuse is still common...

https://searchcode.com/?q=uniqid&loc=0&loc2=10000&lan=24

64 chars hex value might be too long, though.

Another option might be raising E_DEPRECATED, but chances are low that
misused people correct usage by the error... It's their responsibility
anyway, though. Just trying to be nice for our users :)

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net