2016-09-09 13:48 GMT+02:00 Yasuo Ohgaki <yohg...@ohgaki.net>:
> Hi all,
>
> On Fri, Sep 9, 2016 at 8:18 PM, Arvids Godjuks <arvids.godj...@gmail.com>
> wrote:
> >
> > Hm, without "true" you get 13 chars, with "true" - 20+.
>
> Sorry. It's
>
> $ php -r 'var_dump(uniqid(), uniqid("", true));'
> string(13) "57d29c20c04c3"
> string(23) "57d29c20c04c50.55225401"
>
> I misread sprintf format.
>
> Anyway, we may use extra 10 chars to make it more random if it should
> keep compatibility.
That still breaks BC as the value is now longer than before.
> It seems uniqid() is popular for test scripts, so
> it would be preferred keeping it.
Nobody said it should be removed now. Maybe in the future. But you might as
well just use bin2hex(random_bytes(16)).
> It does not harm any with test
> script thanks to higher precision timers of current systems.
>
It's most often still abused for the wrong purpose.
> Some of us feel returning almost random value from uniqid() is
> overkill.
It breaks BC, overkill isn't the issue.
> This is reasonable. I'll prepare patch that uses 10 chars
> for 50 bits extra entropy from php_random_bytes() by default.
No please don't. Let's just deprecate it. Let's not break BC and make it
kinda safe but not really.
> It will
> be a little safer even when user misuses uniqid() while keeping
> most compatibility.
>
> Regards,
>
> --
> Yasuo Ohgaki
> yohg...@ohgaki.net
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
