Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:95857
Return-Path: <me@kelunik.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 39539 invoked from network); 9 Sep 2016 12:50:08 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 9 Sep 2016 12:50:08 -0000
Authentication-Results: pb1.pair.com smtp.mail=me@kelunik.com; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=me@kelunik.com; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain kelunik.com from 81.169.146.217 cause and error)
X-PHP-List-Original-Sender: me@kelunik.com
X-Host-Fingerprint: 81.169.146.217 mo4-p00-ob.smtp.rzone.de  
Received: from [81.169.146.217] ([81.169.146.217:25415] helo=mo4-p00-ob.smtp.rzone.de)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id EE/D7-61313-EFFA2D75 for <internals@lists.php.net>; Fri, 09 Sep 2016 08:50:07 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1473425403; l=5012;
	s=domk; d=kelunik.com;
	h=Content-Type:Cc:To:Subject:Date:From:References:In-Reply-To:
	MIME-Version;
	bh=3Xtd52oeLRbLLudGwIxoPgZNKwW+PQUaS/DeTBSTpJc=;
	b=FG14PZTLLPd42pPsNOSUTcKhaD99aNpvcq/STFns+EZPC9PUWRt7nDrjQGOK2GrLzHn
	ac9FZB1P/FmIbuNzz70w2gsfYZtffq/gkJu+rHc7q/P8dfiCEvlR9/vrfISdzgeqhg8Hs
	B2AeeDNHbJ9Tpjg0Q1OoGdKYI8x3WvVQDCA=
X-RZG-AUTH: :IWkkfkWkbvHsXQGmRYmUo9mls2vWuiu+7SLGvomb4bl9EfHtOnc6
X-RZG-CLASS-ID: mo00
Received: from mail-wm0-f54.google.com ([74.125.82.54])
	by smtp.strato.de (RZmta 39.1 AUTH)
	with ESMTPSA id 90ad8cs89Co3HYm
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (curve secp384r1 with 384 ECDH bits, eq. 7680 bits RSA))
	(Client did not present a certificate)
	for <internals@lists.php.net>;
	Fri, 9 Sep 2016 14:50:03 +0200 (CEST)
Received: by mail-wm0-f54.google.com with SMTP id 1so31103039wmz.1
        for <internals@lists.php.net>; Fri, 09 Sep 2016 05:50:03 -0700 (PDT)
X-Gm-Message-State: AE9vXwMEYwg4HyJF5HXYqhLOD7W6SfC8AOVybpd7qDdWakgZPppUHKegwZ7HoMqAjYPC2/RWqZw7yY33HQUsHQ==
X-Received: by 10.28.54.5 with SMTP id d5mr2996388wma.91.1473425403374; Fri,
 09 Sep 2016 05:50:03 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.28.180.7 with HTTP; Fri, 9 Sep 2016 05:50:01 -0700 (PDT)
In-Reply-To: <CAGa2bXas59za=AunyQLqnF6jJkrGfPcS2q4jhq7CO1J0Jt8Qhg@mail.gmail.com>
References: <CAGa2bXaM8q0mwhkz+XL6jbBaVLHDZ_-Jfj0aOPUq+te=fV=wow@mail.gmail.com>
 <CANUQDCgcmLozTs4xcTTXfqd_UZC9oEKubmr_iZfYLwBcg3sxfQ@mail.gmail.com>
 <CAGa2bXb-ZD9ea+o4xqqsFtQJw7iM0Pzq1XTgof_2UPSTaY2PSg@mail.gmail.com>
 <CAL0xaBE-HzFz+rbzBJ_bEM1fuCKjcQ1K5yAokQra+CFMP_8x3w@mail.gmail.com>
 <CANUQDCgFzzCNCihP7DnsZRv8k7WkOT7htB_tKpoSp1wqpizmCQ@mail.gmail.com>
 <CAL0xaBGf=iTNTU51p2XniX84REykwg-D8v0VWxkSKAvnYdmZCA@mail.gmail.com> <CAGa2bXas59za=AunyQLqnF6jJkrGfPcS2q4jhq7CO1J0Jt8Qhg@mail.gmail.com>
Date: Fri, 9 Sep 2016 14:50:01 +0200
X-Gmail-Original-Message-ID: <CANUQDChAkm7uvsX4GWLcFSThv7h=LUm4JrfdgEBJ9AzLzsnw0A@mail.gmail.com>
Message-ID: <CANUQDChAkm7uvsX4GWLcFSThv7h=LUm4JrfdgEBJ9AzLzsnw0A@mail.gmail.com>
To: Yasuo Ohgaki <yohgaki@ohgaki.net>
Cc: Arvids Godjuks <arvids.godjuks@gmail.com>, 
	"internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a11436b6ac5fa27053c129514
Subject: Re: [PHP-DEV] [RFC] Make uniqid() more unique
From: me@kelunik.com (Niklas Keller)

--001a11436b6ac5fa27053c129514
Content-Type: text/plain; charset=UTF-8

2016-09-09 13:48 GMT+02:00 Yasuo Ohgaki <yohgaki@ohgaki.net>:

> Hi all,
>
> On Fri, Sep 9, 2016 at 8:18 PM, Arvids Godjuks <arvids.godjuks@gmail.com>
> wrote:
> >
> > Hm, without "true" you get 13 chars, with "true" - 20+.
>
> Sorry. It's
>
> $ php -r 'var_dump(uniqid(), uniqid("", true));'
> string(13) "57d29c20c04c3"
> string(23) "57d29c20c04c50.55225401"
>
> I misread sprintf format.
>
> Anyway, we may use extra 10 chars to make it more random if it should
> keep compatibility.


That still breaks BC as the value is now longer than before.


> It seems uniqid() is popular for test scripts, so
> it would be preferred keeping it.


Nobody said it should be removed now. Maybe in the future. But you might as
well just use bin2hex(random_bytes(16)).


> It does not harm any with test
> script thanks to higher precision timers of current systems.
>

It's most often still abused for the wrong purpose.


> Some of us feel returning almost random value from uniqid() is
> overkill.


It breaks BC, overkill isn't the issue.


> This is reasonable. I'll prepare patch that uses 10 chars
> for 50 bits extra entropy from php_random_bytes() by default.


No please don't. Let's just deprecate it. Let's not break BC and make it
kinda safe but not really.


> It will
> be a little safer even when user misuses uniqid() while keeping
> most compatibility.
>
> Regards,
>
> --
> Yasuo Ohgaki
> yohgaki@ohgaki.net
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

--001a11436b6ac5fa27053c129514--