Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:95841
Return-Path: <me@kelunik.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 11175 invoked from network); 9 Sep 2016 10:37:11 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 9 Sep 2016 10:37:11 -0000
Authentication-Results: pb1.pair.com smtp.mail=me@kelunik.com; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=me@kelunik.com; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain kelunik.com from 81.169.146.220 cause and error)
X-PHP-List-Original-Sender: me@kelunik.com
X-Host-Fingerprint: 81.169.146.220 mo4-p00-ob.smtp.rzone.de  
Received: from [81.169.146.220] ([81.169.146.220:32128] helo=mo4-p00-ob.smtp.rzone.de)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 62/12-61313-6D092D75 for <internals@lists.php.net>; Fri, 09 Sep 2016 06:37:10 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1473417427; l=7143;
	s=domk; d=kelunik.com;
	h=Content-Type:Cc:To:Subject:Date:From:References:In-Reply-To:
	MIME-Version;
	bh=yVYb95icRKckuXa0rcFCGilLnAAZ1oNjatvA2XMom8A=;
	b=yGTchrHSBR2K9L2XT60RaxSOcZGj9GMro3ORQmgyCMiy0ee9eB5FruJSiaXdkBvNQMD
	u44ytfny+IwLCjBR19TpuNM2Mg1BSsX/06zY+Uwy+M8GhUsaVry/fZWcda0jifnSNpdwz
	lhKGH9yEcRzPIdoUF3lMlRnkFHZrJj3oyWQ=
X-RZG-AUTH: :IWkkfkWkbvHsXQGmRYmUo9mls2vWuiu+7SLGvomb4bl9EfHtO3o6
X-RZG-CLASS-ID: mo00
Received: from mail-wm0-f49.google.com ([74.125.82.49])
	by smtp.strato.de (RZmta 39.1 AUTH)
	with ESMTPSA id Y0125ds89Ab7Hr0
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (curve secp384r1 with 384 ECDH bits, eq. 7680 bits RSA))
	(Client did not present a certificate)
	for <internals@lists.php.net>;
	Fri, 9 Sep 2016 12:37:07 +0200 (CEST)
Received: by mail-wm0-f49.google.com with SMTP id w12so25136246wmf.0
        for <internals@lists.php.net>; Fri, 09 Sep 2016 03:37:07 -0700 (PDT)
X-Gm-Message-State: AE9vXwN7KQT3FlxXHxZKTIXWEcOGzMQxt9sevr/uCBWX05Fxfpb4RdprOnoP1CJDDLRvh+ivNOEoCSuLpnXXDw==
X-Received: by 10.194.157.164 with SMTP id wn4mr2387447wjb.142.1473417427409;
 Fri, 09 Sep 2016 03:37:07 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.28.180.7 with HTTP; Fri, 9 Sep 2016 03:37:06 -0700 (PDT)
In-Reply-To: <CAL0xaBE-HzFz+rbzBJ_bEM1fuCKjcQ1K5yAokQra+CFMP_8x3w@mail.gmail.com>
References: <CAGa2bXaM8q0mwhkz+XL6jbBaVLHDZ_-Jfj0aOPUq+te=fV=wow@mail.gmail.com>
 <CANUQDCgcmLozTs4xcTTXfqd_UZC9oEKubmr_iZfYLwBcg3sxfQ@mail.gmail.com>
 <CAGa2bXb-ZD9ea+o4xqqsFtQJw7iM0Pzq1XTgof_2UPSTaY2PSg@mail.gmail.com> <CAL0xaBE-HzFz+rbzBJ_bEM1fuCKjcQ1K5yAokQra+CFMP_8x3w@mail.gmail.com>
Date: Fri, 9 Sep 2016 12:37:06 +0200
X-Gmail-Original-Message-ID: <CANUQDCgFzzCNCihP7DnsZRv8k7WkOT7htB_tKpoSp1wqpizmCQ@mail.gmail.com>
Message-ID: <CANUQDCgFzzCNCihP7DnsZRv8k7WkOT7htB_tKpoSp1wqpizmCQ@mail.gmail.com>
To: Arvids Godjuks <arvids.godjuks@gmail.com>
Cc: Yasuo Ohgaki <yohgaki@ohgaki.net>, "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=089e013c646a5defe7053c10ba59
Subject: Re: [PHP-DEV] [RFC] Make uniqid() more unique
From: me@kelunik.com (Niklas Keller)

--089e013c646a5defe7053c10ba59
Content-Type: text/plain; charset=UTF-8

2016-09-09 10:36 GMT+02:00 Arvids Godjuks <arvids.godjuks@gmail.com>:

> 2016-09-09 11:07 GMT+03:00 Yasuo Ohgaki <yohgaki@ohgaki.net>:
>
>> On Fri, Sep 9, 2016 at 4:40 PM, Niklas Keller <me@kelunik.com> wrote:
>> > I think it's better to leave it as is and deprecate and discourage its
>> use.
>> > There's already a big warning there. Dunno whether there are really
>> valid
>> > use cases for it.
>>
>> uniqid() is handy, when developer would like to sort something by
>> "time" prefix/postfix in strings. For example, prefixed/postfixed
>> session ID by "time".
>>
>> So E_DEPRECATE might be too much.
>>
>> Regards,
>>
>> --
>> Yasuo Ohgaki
>> yohgaki@ohgaki.net
>>
>
> It's also useful in other cases, where using a full blown true random
> source is just overkill.
>

Most people think getting true random is a overkill and implement things
non-secure.


> For example, my recent usage was to use the result of uniqid('', true) as
> a few parameters in URL's instead of plain numeric ID. Client just wanted
> to users can't do a +1 and see someone else's result page that might have a
> different text or a different campaign even.
>

That's exactly where uniqid SHOULD NOT be used. It's predictable. Anyone
can easily guess these URLs. If you want to prevent that, you should use
non-predictable secure random, also called cryptographically secure random:
CSRPNG. See random_bytes and random_int.


> And I do need to generate those id's in bursts - 200 to 600 id's in a
> single action, I would imagine generating 600 random strings of ~20 char
> length can be hard on the source of the randomness, may even deplete it.
> And I expect the numbers to grow.
>

Could you outline why you need 200 - 600 IDs in a single action?


> So, deprecating it I think is really an overreaction. It's a handy tool.
> It can be used to generate filenames too, and a lot of other stuff.
>

Sure, but for that you can as well just use `microtime` or `time`. As
shown, it's easily misused, you're the perfect example. :-)


> My thoughts are - improve it. Yes, the standard uniqid() is a bit too
> short, I have never used it without the second "true" parameter and that
> dot in the middle of the string is annoying - I had to strip it out every
> use case I had.
>

`true` gives you exactly one character of more, pretty low entropy.

Regards, Niklas

--089e013c646a5defe7053c10ba59--