Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:95877
Return-Path: <yohgaki@ohgaki.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 90484 invoked from network); 9 Sep 2016 20:50:04 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 9 Sep 2016 20:50:04 -0000
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@ohgaki.net; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=yohgaki@ohgaki.net; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain ohgaki.net designates 180.42.98.130 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@ohgaki.net
X-Host-Fingerprint: 180.42.98.130 ns1.es-i.jp  
Received: from [180.42.98.130] ([180.42.98.130:33710] helo=es-i.jp)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id D4/77-46544-87023D75 for <internals@lists.php.net>; Fri, 09 Sep 2016 16:50:02 -0400
Received: (qmail 7417 invoked by uid 89); 9 Sep 2016 20:49:56 -0000
Received: from unknown (HELO mail-qk0-f170.google.com) (yohgaki@ohgaki.net@209.85.220.170)
  by 0 with ESMTPA; 9 Sep 2016 20:49:56 -0000
Received: by mail-qk0-f170.google.com with SMTP id h8so2360682qka.1
        for <internals@lists.php.net>; Fri, 09 Sep 2016 13:49:55 -0700 (PDT)
X-Gm-Message-State: AE9vXwNo9uMtZFhHaeZXLvCxW7AoJLVMWw6B9+S+kob8ZdP1Vzw6AJi5fzz+7uE0Mi1X9DKzBSMFS/D3HMtfSw==
X-Received: by 10.55.184.198 with SMTP id i189mr6215113qkf.96.1473454188797;
 Fri, 09 Sep 2016 13:49:48 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.140.84.168 with HTTP; Fri, 9 Sep 2016 13:49:08 -0700 (PDT)
In-Reply-To: <4e558dd2-b5e3-8091-68ae-578bed7aba88@gmx.de>
References: <CAGa2bXaM8q0mwhkz+XL6jbBaVLHDZ_-Jfj0aOPUq+te=fV=wow@mail.gmail.com>
 <4e558dd2-b5e3-8091-68ae-578bed7aba88@gmx.de>
Date: Sat, 10 Sep 2016 05:49:08 +0900
X-Gmail-Original-Message-ID: <CAGa2bXaU4htsVOAsX2Q-pGnMGRfNs47kLX=tEK3yXHEWtb+_xQ@mail.gmail.com>
Message-ID: <CAGa2bXaU4htsVOAsX2Q-pGnMGRfNs47kLX=tEK3yXHEWtb+_xQ@mail.gmail.com>
To: "Christoph M. Becker" <cmbecker69@gmx.de>
Cc: Yasuo Ohgaki <yohgaki@php.net>, "internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Subject: Re: [RFC] Make uniqid() more unique
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

Hi Christoph,

On Fri, Sep 9, 2016 at 10:56 PM, Christoph M. Becker <cmbecker69@gmx.de> wrote:
>> We all know, uniqid() is not unique at all and not safe as random ID
>> at all. This would be one of the most misused function because of its
>> name.
>
> uniqid() yields truly unique values for a single machine (except for
> CYGWIN, and potentially older Windows versions), if $more_entropy is
> FALSE[1].  Of course, the function shouldn't be used for any crypto
> purposes, but it is fine to get a unique ID if you have no database that
> delivers a sequential index number (aka. autoincrement field), for instance.
>
> [1]
> <https://github.com/php/php-src/blob/PHP-7.0.11/ext/standard/uniqid.c#L68>

I think uniqid() is intended for mail message ID originally.
User's shouldn't use crypto purpose anyway.

Although user shouldn't use it for security related usage, improving
more entropy is reasonable since we have better entropy source
now. i.e. php_random_bytes()

I'm going to write patch enable more entropy by default and change
more more entropy source from php_combined_lcg() to
php_randam_bytes(). This will improve windows compatibility :)


Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net