2016-09-09 10:36 GMT+02:00 Arvids Godjuks <arvids.godj...@gmail.com>:
> 2016-09-09 11:07 GMT+03:00 Yasuo Ohgaki <yohg...@ohgaki.net>: > >> On Fri, Sep 9, 2016 at 4:40 PM, Niklas Keller <m...@kelunik.com> wrote: >> > I think it's better to leave it as is and deprecate and discourage its >> use. >> > There's already a big warning there. Dunno whether there are really >> valid >> > use cases for it. >> >> uniqid() is handy, when developer would like to sort something by >> "time" prefix/postfix in strings. For example, prefixed/postfixed >> session ID by "time". >> >> So E_DEPRECATE might be too much. >> >> Regards, >> >> -- >> Yasuo Ohgaki >> yohg...@ohgaki.net >> > > It's also useful in other cases, where using a full blown true random > source is just overkill. > Most people think getting true random is a overkill and implement things non-secure. > For example, my recent usage was to use the result of uniqid('', true) as > a few parameters in URL's instead of plain numeric ID. Client just wanted > to users can't do a +1 and see someone else's result page that might have a > different text or a different campaign even. > That's exactly where uniqid SHOULD NOT be used. It's predictable. Anyone can easily guess these URLs. If you want to prevent that, you should use non-predictable secure random, also called cryptographically secure random: CSRPNG. See random_bytes and random_int. > And I do need to generate those id's in bursts - 200 to 600 id's in a > single action, I would imagine generating 600 random strings of ~20 char > length can be hard on the source of the randomness, may even deplete it. > And I expect the numbers to grow. > Could you outline why you need 200 - 600 IDs in a single action? > So, deprecating it I think is really an overreaction. It's a handy tool. > It can be used to generate filenames too, and a lot of other stuff. > Sure, but for that you can as well just use `microtime` or `time`. As shown, it's easily misused, you're the perfect example. :-) > My thoughts are - improve it. Yes, the standard uniqid() is a bit too > short, I have never used it without the second "true" parameter and that > dot in the middle of the string is annoying - I had to strip it out every > use case I had. > `true` gives you exactly one character of more, pretty low entropy. Regards, Niklas