Hi Niklas,

On Fri, Sep 9, 2016 at 4:40 PM, Niklas Keller <m...@kelunik.com> wrote:
> 2016-09-09 7:12 GMT+02:00 Yasuo Ohgaki <yohg...@ohgaki.net>:
>>
>> Hi all,
>>
>> We all know, uniqid() is not unique at all and not safe as random ID
>> at all. This would be one of the most misused function because of its
>> name.
>>
>> https://github.com/php/php-src/blob/master/ext/standard/uniqid.c#L44
>>
>> Bug report for this
>> https://bugs.php.net/bug.php?id=55391
>>
>> I would like to
>>  - Enable more entropy parameter on by default
>>  - Add 256 bits random value (64 chars by HEX) from
>>    php_random_bytes()  instead of 1 char from php_combined_lcg()
>>
>> If all of us think "just fix it", then I'll just fix this in master w/o
>> RFC.
>
>
> I think it's better to leave it as is and deprecate and discourage its use.
> There's already a big warning there. Dunno whether there are really valid
> use cases for it.

That's what I thought at first.
It seems misuse is still common...

https://searchcode.com/?q=uniqid&loc=0&loc2=10000&lan=24

64 chars hex value might be too long, though.

Another option might be raising E_DEPRECATED, but chances are low that
misused people correct usage by the error... It's their responsibility
anyway, though. Just trying to be nice for our users :)

Regards,

--
Yasuo Ohgaki
yohg...@ohgaki.net

-- 
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to