Hi Niklas, On Fri, Sep 9, 2016 at 4:40 PM, Niklas Keller <m...@kelunik.com> wrote: > 2016-09-09 7:12 GMT+02:00 Yasuo Ohgaki <yohg...@ohgaki.net>: >> >> Hi all, >> >> We all know, uniqid() is not unique at all and not safe as random ID >> at all. This would be one of the most misused function because of its >> name. >> >> https://github.com/php/php-src/blob/master/ext/standard/uniqid.c#L44 >> >> Bug report for this >> https://bugs.php.net/bug.php?id=55391 >> >> I would like to >> - Enable more entropy parameter on by default >> - Add 256 bits random value (64 chars by HEX) from >> php_random_bytes() instead of 1 char from php_combined_lcg() >> >> If all of us think "just fix it", then I'll just fix this in master w/o >> RFC. > > > I think it's better to leave it as is and deprecate and discourage its use. > There's already a big warning there. Dunno whether there are really valid > use cases for it.
That's what I thought at first. It seems misuse is still common... https://searchcode.com/?q=uniqid&loc=0&loc2=10000&lan=24 64 chars hex value might be too long, though. Another option might be raising E_DEPRECATED, but chances are low that misused people correct usage by the error... It's their responsibility anyway, though. Just trying to be nice for our users :) Regards, -- Yasuo Ohgaki yohg...@ohgaki.net -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php