On Fri, Sep 9, 2016 at 7:12 AM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote:
> Hi all, > > We all know, uniqid() is not unique at all and not safe as random ID > at all. This would be one of the most misused function because of its > name. > > https://github.com/php/php-src/blob/master/ext/standard/uniqid.c#L44 > > Bug report for this > https://bugs.php.net/bug.php?id=55391 > > I would like to > - Enable more entropy parameter on by default > - Add 256 bits random value (64 chars by HEX) from > php_random_bytes() instead of 1 char from php_combined_lcg() > > If all of us think "just fix it", then I'll just fix this in master w/o > RFC. > > Any comments? > The problem with "fixing" this function to be cryptographically unpredictable (rather than just unique, for a limited definition of unique) is that it will necessarily change the size of the output, on which there may be assumptions. A 128 bit random value is 22 chars in base64, which is a good bit larger than the current uniqid() output. I agree with Niklas, this function should simply be deprecated. Nikita
