Hi all, On Sat, Sep 10, 2016 at 5:49 AM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote: > On Fri, Sep 9, 2016 at 10:56 PM, Christoph M. Becker <cmbecke...@gmx.de> > wrote: >>> We all know, uniqid() is not unique at all and not safe as random ID >>> at all. This would be one of the most misused function because of its >>> name. >> >> uniqid() yields truly unique values for a single machine (except for >> CYGWIN, and potentially older Windows versions), if $more_entropy is >> FALSE[1]. Of course, the function shouldn't be used for any crypto >> purposes, but it is fine to get a unique ID if you have no database that >> delivers a sequential index number (aka. autoincrement field), for instance. >> >> [1] >> <https://github.com/php/php-src/blob/PHP-7.0.11/ext/standard/uniqid.c#L68> > > I think uniqid() is intended for mail message ID originally. > User's shouldn't use crypto purpose anyway. > > Although user shouldn't use it for security related usage, improving > more entropy is reasonable since we have better entropy source > now. i.e. php_random_bytes() > > I'm going to write patch enable more entropy by default and change > more more entropy source from php_combined_lcg() to > php_randam_bytes(). This will improve windows compatibility :)
PR is sent. https://github.com/php/php-src/pull/2123 Regards, -- Yasuo Ohgaki yohg...@ohgaki.net -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
