Hi Kazuo, On Tue, Sep 13, 2016 at 1:20 PM, Kazuo Oishi <ka...@o-ishi.jp> wrote: > The uniqid() manual explicitly say, > > - default value of more_entropy is false > > - the returned string will be 13 characters long. If more_entropy is > TRUE, it will be 23 characters. > > - if more_entropy is set to TRUE, uniqid() will add additional entropy > (using the combined linear congruential generator) at the end of the > return value > > http://php.net/manual/en/function.uniqid.php > > So, it is fairly valid to design > - field length limit to 13 chars in validation code or DB column. > - acceptable character type limit to "[0-9A-Za-z]+". > - expect increasing value > in their PHP applications.
It's legacy design. php_combined_lcg() must not be used, especially functions like uniqid(). i.e. It's supposed to generate unique ID based on time, but php_combined_lcg() generates pseudo random from current time. It's more than obvious it's legacy and obsolete today. >> Anyway, let's talk BC with real code. >> >> I didn't look into all, but only briefly. >> https://searchcode.com/?q=uniqid&loc=0&loc2=10000&lan=24 > > Why didn't you... > You said "BC (BC break) will be minimum"... Why should I look into all? Show me the real code that breaks if you insist this minor BC matters. I can think of number of way to be broken, but I cannot imagine real production codes that are broken by change. BTW, the current manual states uniqid() return unique identifier. This is false. I updated the manual, but we should do better job to generate almost unique ID. <refsect1 role="returnvalues"> &reftitle.returnvalues; <para> - Returns the unique identifier, as a string. + Returns timestamp based unique identifier as a string. </para> + <warning> + <para> + This function tries to create unique identifier, but it does not + guarantee 100% uniqueness of return value. + </para> + </warning> </refsect1> Current implementation is good enough for most cases, but it can be better. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
