Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:95880 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 96455 invoked from network); 9 Sep 2016 21:37:36 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 9 Sep 2016 21:37:36 -0000 Authentication-Results: pb1.pair.com header.from=yohgaki@ohgaki.net; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=yohgaki@ohgaki.net; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain ohgaki.net designates 180.42.98.130 as permitted sender) X-PHP-List-Original-Sender: yohgaki@ohgaki.net X-Host-Fingerprint: 180.42.98.130 ns1.es-i.jp Received: from [180.42.98.130] ([180.42.98.130:33773] helo=es-i.jp) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 36/88-46544-E9B23D75 for ; Fri, 09 Sep 2016 17:37:35 -0400 Received: (qmail 9651 invoked by uid 89); 9 Sep 2016 21:37:31 -0000 Received: from unknown (HELO mail-qk0-f169.google.com) (yohgaki@ohgaki.net@209.85.220.169) by 0 with ESMTPA; 9 Sep 2016 21:37:31 -0000 Received: by mail-qk0-f169.google.com with SMTP id v123so96398916qkh.2 for ; Fri, 09 Sep 2016 14:37:31 -0700 (PDT) X-Gm-Message-State: AE9vXwOVZ4JUPxj04lZicDzPS/6Wsa7RwHhChpDQidBgzfYd7Q6XwGXtRSNiv+EJ3yExQG74j1Obaek9BCqXZQ== X-Received: by 10.55.153.68 with SMTP id b65mr6980193qke.10.1473457045247; Fri, 09 Sep 2016 14:37:25 -0700 (PDT) MIME-Version: 1.0 Received: by 10.140.84.168 with HTTP; Fri, 9 Sep 2016 14:36:44 -0700 (PDT) In-Reply-To: References: <4e558dd2-b5e3-8091-68ae-578bed7aba88@gmx.de> Date: Sat, 10 Sep 2016 06:36:44 +0900 X-Gmail-Original-Message-ID: Message-ID: To: "Christoph M. Becker" Cc: Yasuo Ohgaki , "internals@lists.php.net" Content-Type: text/plain; charset=UTF-8 Subject: Re: [RFC] Make uniqid() more unique From: yohgaki@ohgaki.net (Yasuo Ohgaki) Hi all, On Sat, Sep 10, 2016 at 5:49 AM, Yasuo Ohgaki wrote: > On Fri, Sep 9, 2016 at 10:56 PM, Christoph M. Becker wrote: >>> We all know, uniqid() is not unique at all and not safe as random ID >>> at all. This would be one of the most misused function because of its >>> name. >> >> uniqid() yields truly unique values for a single machine (except for >> CYGWIN, and potentially older Windows versions), if $more_entropy is >> FALSE[1]. Of course, the function shouldn't be used for any crypto >> purposes, but it is fine to get a unique ID if you have no database that >> delivers a sequential index number (aka. autoincrement field), for instance. >> >> [1] >> > > I think uniqid() is intended for mail message ID originally. > User's shouldn't use crypto purpose anyway. > > Although user shouldn't use it for security related usage, improving > more entropy is reasonable since we have better entropy source > now. i.e. php_random_bytes() > > I'm going to write patch enable more entropy by default and change > more more entropy source from php_combined_lcg() to > php_randam_bytes(). This will improve windows compatibility :) PR is sent. https://github.com/php/php-src/pull/2123 Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net