Hi Kazuo, On Mon, Sep 12, 2016 at 7:48 PM, Kazuo Oishi <ka...@o-ishi.jp> wrote: >> I know some code breaks, but it's not many. It's not fatal BC also. >> >> IMHO, uniqid() should try to generate uniqid() possible. uniqid() does >> produce >> non unique ID because it is system time based. This change mitigates impact >> of >> misuse also which is common in both open and close codes. >> >> Which is important? >> - Fix known issues and generate unique ID (as much as possible) >> - Let it generate non unique ID and ignore for some code may complain. > > IMO, improving it (generate better semi-unique ID) is not important > enoungh to introduce unnecessary BC break. (Why returning string length > is changed?)
It cannot not produce unique ID as name "uniqid()" implies by default. Reason is described in the RFC. Please read RFC because it's the official proposal. Since we have to change "more entropy" to TRUE by default, why not use much better entropy? php_combined_lcg() is legacy entropy generator _must not_ be used now. New code's entropy is more than a million times better for the same length. 50 bits entropy is far less enough for crypt safety, though. > If good unique ID generator is needed in core, please create new > function with another name like "unique_id". Already is, session_create_id() could be used. Or UUID if 3rd party module can be used. Although I would not like to leave legacy functions as much as possible, this could be a vote option. Any more request for new function, anyone? I don't like the name because "unique_id()" implies "absolute unique ID", but we can only provide "very close to unique ID". I'm not sure if it's good to have "uniqid()" and "unique_id()" that have the same note: "This function does not guarantee 100% uniqueness". If we are going to have unique_id(), I would like to keep timestamp value, since this improves uniqueness and handy for non crypt usage. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
