Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:95846
Return-Path: <arvids.godjuks@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 20236 invoked from network); 9 Sep 2016 11:19:24 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 9 Sep 2016 11:19:24 -0000
Authentication-Results: pb1.pair.com smtp.mail=arvids.godjuks@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=arvids.godjuks@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 74.125.82.48 as permitted sender)
X-PHP-List-Original-Sender: arvids.godjuks@gmail.com
X-Host-Fingerprint: 74.125.82.48 mail-wm0-f48.google.com  
Received: from [74.125.82.48] ([74.125.82.48:37823] helo=mail-wm0-f48.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 29/E3-61313-BBA92D75 for <internals@lists.php.net>; Fri, 09 Sep 2016 07:19:24 -0400
Received: by mail-wm0-f48.google.com with SMTP id w12so26996625wmf.0
        for <internals@lists.php.net>; Fri, 09 Sep 2016 04:19:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=fnm4K0GX9ABm+/8edfA8UKrljCO2I3EFzw3ZcuZ+AGo=;
        b=ShBEH28MJed1qtWdmYO3BV6NfoIcrhy9zssVWQFIYrq65WT/Iuh4QIxQKoN4B6zZfn
         kROvC+KTGpRJbJIgPT3pd+YJoM+B3auEZNKcJrGlBf7WBScRF555pXGAlSgIKZhYO8m5
         Pt2glL77bPrazdPsiIaJ8jRK0tRuTLl1PDQ0ALofT78URNyVbZ/FaDW/3HgkaqekVw9y
         qWBMQ9ICdraRfFwghhyxy72S0slOwChIMBgTNx2OZKStgwHqwXPEEkfU06AMKLVIkbAa
         INjFp38gn85PJkS4pkggEo2rr/xb0RFg7zoKvcaB8SgjJwXwzIC7In9QGSA0HiThKe3E
         Otkw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=fnm4K0GX9ABm+/8edfA8UKrljCO2I3EFzw3ZcuZ+AGo=;
        b=V6I2AXRLCHnVcAWG1ZNfa2kS5Odz/6NMmYvfy1geZjdjFnzk01p0CwYvZz6M6q7gP+
         jnG6A61uuGz6NwdSdw53WduXQb2HGcelxJ1Lg6X2ZeYtxnCRbuZpB/xzvvKQ6IBCyKmy
         975sraoMqcZCDa7/KGAkJX3PSVNlsTFu0ddMY31iHG5uEAgVhPL0hIyDbonX/RezxjU2
         zXHxly7+CDgVnWZo3VGY/cAxjtPhB/KZedfW+uJ66jOLpGKkmEcCxOnUSv/EJdrqdsmC
         iz/YpH378G6aCf/V+LX+7VndD8SHszGC8fyxrBUyKWI7rE9AS+4IT0A4RBqQIew4OgJj
         6tFw==
X-Gm-Message-State: AE9vXwOp8ZfEI+gipvLhG8hMuwONDEEftjpoU/AqkB7khZzcAqSfJHJQDwowdVasv/t97+N1lci8nS/jK6DpWA==
X-Received: by 10.194.246.8 with SMTP id xs8mr2551611wjc.64.1473419960476;
 Fri, 09 Sep 2016 04:19:20 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.28.97.3 with HTTP; Fri, 9 Sep 2016 04:18:49 -0700 (PDT)
In-Reply-To: <CANUQDCgFzzCNCihP7DnsZRv8k7WkOT7htB_tKpoSp1wqpizmCQ@mail.gmail.com>
References: <CAGa2bXaM8q0mwhkz+XL6jbBaVLHDZ_-Jfj0aOPUq+te=fV=wow@mail.gmail.com>
 <CANUQDCgcmLozTs4xcTTXfqd_UZC9oEKubmr_iZfYLwBcg3sxfQ@mail.gmail.com>
 <CAGa2bXb-ZD9ea+o4xqqsFtQJw7iM0Pzq1XTgof_2UPSTaY2PSg@mail.gmail.com>
 <CAL0xaBE-HzFz+rbzBJ_bEM1fuCKjcQ1K5yAokQra+CFMP_8x3w@mail.gmail.com> <CANUQDCgFzzCNCihP7DnsZRv8k7WkOT7htB_tKpoSp1wqpizmCQ@mail.gmail.com>
Date: Fri, 9 Sep 2016 14:18:49 +0300
Message-ID: <CAL0xaBGf=iTNTU51p2XniX84REykwg-D8v0VWxkSKAvnYdmZCA@mail.gmail.com>
To: Niklas Keller <me@kelunik.com>
Cc: Yasuo Ohgaki <yohgaki@ohgaki.net>, "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a11c3ba88596dc6053c1151b4
Subject: Re: [PHP-DEV] [RFC] Make uniqid() more unique
From: arvids.godjuks@gmail.com (Arvids Godjuks)

--001a11c3ba88596dc6053c1151b4
Content-Type: text/plain; charset=UTF-8

2016-09-09 13:37 GMT+03:00 Niklas Keller <me@kelunik.com>:

> 2016-09-09 10:36 GMT+02:00 Arvids Godjuks <arvids.godjuks@gmail.com>:
>
>> 2016-09-09 11:07 GMT+03:00 Yasuo Ohgaki <yohgaki@ohgaki.net>:
>>
>>> On Fri, Sep 9, 2016 at 4:40 PM, Niklas Keller <me@kelunik.com> wrote:
>>> > I think it's better to leave it as is and deprecate and discourage its
>>> use.
>>> > There's already a big warning there. Dunno whether there are really
>>> valid
>>> > use cases for it.
>>>
>>> uniqid() is handy, when developer would like to sort something by
>>> "time" prefix/postfix in strings. For example, prefixed/postfixed
>>> session ID by "time".
>>>
>>> So E_DEPRECATE might be too much.
>>>
>>> Regards,
>>>
>>> --
>>> Yasuo Ohgaki
>>> yohgaki@ohgaki.net
>>>
>>
>> It's also useful in other cases, where using a full blown true random
>> source is just overkill.
>>
>
> Most people think getting true random is a overkill and implement things
> non-secure.
>

I just don't need true random here, just some form of replacing an integer
ID with a value, that cannot be changed just by "+1"

>
>
>> For example, my recent usage was to use the result of uniqid('', true) as
>> a few parameters in URL's instead of plain numeric ID. Client just wanted
>> to users can't do a +1 and see someone else's result page that might have a
>> different text or a different campaign even.
>>
>
> That's exactly where uniqid SHOULD NOT be used. It's predictable. Anyone
> can easily guess these URLs. If you want to prevent that, you should use
> non-predictable secure random, also called cryptographically secure random:
> CSRPNG. See random_bytes and random_int.
>

The way the system works and that this is a semi-closed tool for business
purposes, the only real thing why we need these ID's is to track people.
Before this plain numeric ID's from the DB records were used. With the
rewrite the client asked to make ID's so you can't just do a +1 and see
something different. No one will ever want to try and break the uniqid algo
just to get the other page (probably the same text). I also use the
extended version of the uniqid.


>
>
>> And I do need to generate those id's in bursts - 200 to 600 id's in a
>> single action, I would imagine generating 600 random strings of ~20 char
>> length can be hard on the source of the randomness, may even deplete it.
>> And I expect the numbers to grow.
>>
>
> Could you outline why you need 200 - 600 IDs in a single action?
>

Because it's a CSV import and I need to assign every record an ID at that
moment. Those ID's are then exported by admins to a 3rd party system.

>
>
>> So, deprecating it I think is really an overreaction. It's a handy tool.
>> It can be used to generate filenames too, and a lot of other stuff.
>>
>
> Sure, but for that you can as well just use `microtime` or `time`. As
> shown, it's easily misused, you're the perfect example. :-)
>

microtime and time are easier to guess. And time() is not an option,
because I will get 600 equal ID's then. Microtime is an option, but then
you get number only string and it looks awfully sequential :) Hence the
uniqid usage, that is basically time + microtime if I understand from the
manual, but it generates a bit more random result and I'm sure I get a
unique value on every call. Improving it so it does not look awfully
sequential would suffice for the use cases it is needed. In my case this
was a clearly conscious choice with full understanding how it works.

My thoughts are - improve it. Yes, the standard uniqid() is a bit too
>> short, I have never used it without the second "true" parameter and that
>> dot in the middle of the string is annoying - I had to strip it out every
>> use case I had.
>>
>
> `true` gives you exactly one character of more, pretty low entropy.
>
> Regards, Niklas
>

Hm, without "true" you get 13 chars, with "true" - 20+.

Arvids.

--001a11c3ba88596dc6053c1151b4--