Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:97508
Return-Path: <lauri.kentta@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 63763 invoked from network); 3 Jan 2017 19:56:36 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 3 Jan 2017 19:56:36 -0000
Authentication-Results: pb1.pair.com header.from=lauri.kentta@gmail.com; sender-id=softfail
Authentication-Results: pb1.pair.com smtp.mail=lauri.kentta@gmail.com; spf=softfail; sender-id=softfail
Received-SPF: softfail (pb1.pair.com: domain gmail.com does not designate 178.62.210.197 as permitted sender)
X-PHP-List-Original-Sender: lauri.kentta@gmail.com
X-Host-Fingerprint: 178.62.210.197 k-piste.dy.fi  
Received: from [178.62.210.197] ([178.62.210.197:44896] helo=k-piste.dy.fi)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 9F/2B-55609-1F10C685 for <internals@lists.php.net>; Tue, 03 Jan 2017 14:56:35 -0500
Received: from localhost.localdomain ([::1] helo=k-piste.dy.fi)
	by k-piste.dy.fi with esmtp (Exim 4.87)
	(envelope-from <lauri.kentta@gmail.com>)
	id 1cOVCA-0004lF-EG; Tue, 03 Jan 2017 21:56:30 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8;
 format=flowed
Content-Transfer-Encoding: 8bit
Date: Tue, 03 Jan 2017 21:56:30 +0200
To: Yasuo Ohgaki <yohgaki@ohgaki.net>
Cc: internals@lists.php.net
In-Reply-To: <CAGa2bXZ9EzWHDTBg_ZHGW4KdjiFK4tpE7aMCVTZD5n+UZ2vEWA@mail.gmail.com>
References: <CAGa2bXZ9EzWHDTBg_ZHGW4KdjiFK4tpE7aMCVTZD5n+UZ2vEWA@mail.gmail.com>
Message-ID: <7500b0c6a50baf49beac70ae01e8b50d@koti.fimnet.fi>
X-Sender: lauri.kentta@gmail.com
User-Agent: Roundcube Webmail/1.2.3
Subject: Re: [PHP-DEV] Use decent entropy for uniqid($prefix, TRUE)
From: lauri.kentta@gmail.com (=?UTF-8?Q?Lauri_Kentt=C3=A4?=)

On 2016-12-31 01:20, Yasuo Ohgaki wrote:
> +               zend_long rand;
> +               php_random_int(1000000000, 9999999999, &rand, 1);
> +               uniqid = strpprintf(0, "%s%08x%05x%.8F", prefix, sec,
> usec, (double)rand/10000000000);

Your code is broken. It produces 0.10000000 - 0.99999999 when it should 
produce 0.00000000 - 9.99999999. Also, you have integer overflow on 
32-bit systems.

Why do you mess with oversized integers and doubles and at all? It would 
be cleaner and simpler to use just regular 32-bit integers like this:

+               zend_long rand;
+               php_random_int(0, 999999999, &rand, 1);
+               uniqid = strpprintf(0, "%s%08x%05x%d.%08d", prefix, sec, 
usec, rand % 10, rand / 10);

Also, your argument about PHPMailer has nothing to do with your main 
complaint about lcg_value, since collisions of lcg_value are not the 
problem there.

Why don't you put your effort into a more useful solution such as 
random_string or something?
random_string(PHP_STRING_HEX_LOWER, 32) would produce md5-style output.
random_string(PHP_STRING_BASE64, 32) would produce a lot more entropy.
random_string("my_charset", 20) would cover the general case.
random_array([1,2,3], 20) could extend this to arbitrary arrays.

-- 
Lauri Kenttä