Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:95839 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 6996 invoked from network); 9 Sep 2016 10:12:29 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 9 Sep 2016 10:12:29 -0000 Authentication-Results: pb1.pair.com header.from=nikita.ppv@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=nikita.ppv@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.161.182 as permitted sender) X-PHP-List-Original-Sender: nikita.ppv@gmail.com X-Host-Fingerprint: 209.85.161.182 mail-yw0-f182.google.com Received: from [209.85.161.182] ([209.85.161.182:34260] helo=mail-yw0-f182.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 66/41-61313-C0B82D75 for ; Fri, 09 Sep 2016 06:12:29 -0400 Received: by mail-yw0-f182.google.com with SMTP id g192so44363870ywh.1 for ; Fri, 09 Sep 2016 03:12:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=087akCugDysUAfkzI3/X6KOay+FP7M+/z2zL1jRmAkc=; b=edtNme5kBbwnuXHCIKnjoSsUKF4TfpfEp7jNmQyhkdimRnu+2yCJwxNgK0o4Chhv2s 0PahzKEPTvLUHdROzI6y/Qv2+UDfVsEyZ/zeFqiGLfVqxgWNtq8OKlyE3IfBvhahb92q LDF2xu+Bx5JxnqfaS1girSA/jU5lk2VelJS05eTJcAcBa/FvaDZCDPHWbOhS0HbP12il ED0+yjdgWuacPcNhQg1bHcCxeWFjmsvEW/2Ql+4FeuORQRYMkc6w4qEWFyLxg8yVkMcA 5Jtta429kPVpzYMhSn3q9l/tfE4ehigtTtqoZ/V6a2izhE/WvSAQD8zo+0VkBbPzTR3a KSnA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=087akCugDysUAfkzI3/X6KOay+FP7M+/z2zL1jRmAkc=; b=VwETbVpSDl6AB9jf8q199Y8gSxBLLTAW6zEQhUzvlG8JhBB6/cX1blyCIdqkefNU1x GPyNzosGcNE1hSVoU5Gfqjbts3gdQuHGl7gHhDRXrqE/XRyc8MKfTSsli+7DvmvwjvFJ vkxgEg3YVIo7Lr2Xt/uErYBGyxl9yzkpWqksiSRMtHhjxPhNFBItbcGNly4HDewTxnpp x9A+JFaDn/7p3lyDe8CxnCsOZdXhfDAMiqsLEu1BlS19U2BHEkIPxvAiwHx2y3AbDtP4 KHnZL02lDKkzlWDFtK1MdEthb0ksEtv5KqvOLoHXMnw+O465VU7mBnIE6FMghC9uw2BY qmUw== X-Gm-Message-State: AE9vXwPrgYKWIy3luKUe2yahZ9BceIQUTroNKEXcLhKuGZ2MmAlDH1UJm4qiTZXdaykj1asgOf4cPgNN++lsNg== X-Received: by 10.13.210.134 with SMTP id u128mr1908770ywd.213.1473415945872; Fri, 09 Sep 2016 03:12:25 -0700 (PDT) MIME-Version: 1.0 Received: by 10.13.215.15 with HTTP; Fri, 9 Sep 2016 03:12:25 -0700 (PDT) In-Reply-To: References: Date: Fri, 9 Sep 2016 12:12:25 +0200 Message-ID: To: Yasuo Ohgaki Cc: "internals@lists.php.net" Content-Type: multipart/alternative; boundary=001a114e4e740f6b9d053c106288 Subject: Re: [PHP-DEV] [RFC] Make uniqid() more unique From: nikita.ppv@gmail.com (Nikita Popov) --001a114e4e740f6b9d053c106288 Content-Type: text/plain; charset=UTF-8 On Fri, Sep 9, 2016 at 7:12 AM, Yasuo Ohgaki wrote: > Hi all, > > We all know, uniqid() is not unique at all and not safe as random ID > at all. This would be one of the most misused function because of its > name. > > https://github.com/php/php-src/blob/master/ext/standard/uniqid.c#L44 > > Bug report for this > https://bugs.php.net/bug.php?id=55391 > > I would like to > - Enable more entropy parameter on by default > - Add 256 bits random value (64 chars by HEX) from > php_random_bytes() instead of 1 char from php_combined_lcg() > > If all of us think "just fix it", then I'll just fix this in master w/o > RFC. > > Any comments? > The problem with "fixing" this function to be cryptographically unpredictable (rather than just unique, for a limited definition of unique) is that it will necessarily change the size of the output, on which there may be assumptions. A 128 bit random value is 22 chars in base64, which is a good bit larger than the current uniqid() output. I agree with Niklas, this function should simply be deprecated. Nikita --001a114e4e740f6b9d053c106288--