Hi Christoph, On Fri, Sep 9, 2016 at 10:56 PM, Christoph M. Becker <cmbecke...@gmx.de> wrote: >> We all know, uniqid() is not unique at all and not safe as random ID >> at all. This would be one of the most misused function because of its >> name. > > uniqid() yields truly unique values for a single machine (except for > CYGWIN, and potentially older Windows versions), if $more_entropy is > FALSE[1]. Of course, the function shouldn't be used for any crypto > purposes, but it is fine to get a unique ID if you have no database that > delivers a sequential index number (aka. autoincrement field), for instance. > > [1] > <https://github.com/php/php-src/blob/PHP-7.0.11/ext/standard/uniqid.c#L68>
I think uniqid() is intended for mail message ID originally. User's shouldn't use crypto purpose anyway. Although user shouldn't use it for security related usage, improving more entropy is reasonable since we have better entropy source now. i.e. php_random_bytes() I'm going to write patch enable more entropy by default and change more more entropy source from php_combined_lcg() to php_randam_bytes(). This will improve windows compatibility :) Regards, -- Yasuo Ohgaki yohg...@ohgaki.net -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
