Re: [PHP-DEV] Deprecating uniqid()

Sun, 03 May 2020 22:27:22 -0700 

Hey Ben, hey all

Am 02.05.20 um 21:13 schrieb Ben Ramsey:
>> On May 2, 2020, at 13:57, AllenJB <php.li...@allenjb.me.uk> wrote:
>>
>> Hi all,
>>
>> I'd like to discuss deprecating uniqid()
>>
>> I believe it's dangerously bad a doing "what it says on the tin". New 
>> developers still reach for it and do not read the warnings on the manual 
>> page (or if they do, don't fully understand how bad it is).
>>
>> For older codebases that still rely on it, a userland replacement can be 
>> easily implemented (and could be published on Packagist).
>>
>> I noticed there was an RFC [0][1] brought up 2 years ago, but was never 
>> voted on. Does anyone know why this was?
>>
>> [0] https://externals.io/message/102097
>> [1] https://wiki.php.net/rfc/deprecate-uniqid
>>
>> Is there interest in deprecating this function?
>>
>> If not deprecation, how could it be (further) "improved"? My first thought 
>> is to make the "more entropy" option enabled by default (the argument could 
>> remain so that it can be disabled by codebases that rely on the lower length 
>> and can take the tradeoffs).
> 
> 
> Instead of deprecating and removing it, would anyone be opposed to replacing 
> the internals of the function so that it uses `random_bytes()` under the 
> hood, while all other functionality remains the same?

I'D rather deprecate it and give a clear advice on what to use instead
(i.e. in the docs) than changing the internal behaviour and break code.

As replacement I could think of showing people the way to UUIDs.

As the function itself was never intended for cryptographically secure
values I would not see random_* functions or the like as a replacement.

My 0.02 €

Cheers

Andreas
-- 
                                                              ,,,
                                                             (o o)
+---------------------------------------------------------ooO-(_)-Ooo-+
| Andreas Heigl                                                       |
| mailto:andr...@heigl.org                  N 50°22'59.5" E 08°23'58" |
| http://andreas.heigl.org                       http://hei.gl/wiFKy7 |
+---------------------------------------------------------------------+
| http://hei.gl/root-ca                                               |
+---------------------------------------------------------------------+

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to