2018-05-11 17:19 GMT+02:00 Alice Wonder <al...@librelamp.com>: > On 05/11/2018 05:34 AM, Alice Wonder wrote: > >> On 05/11/2018 05:10 AM, Alice Wonder wrote: >> >>> On 05/11/2018 03:50 AM, Arvids Godjuks wrote: >>> >>>> 2018-05-11 12:36 GMT+02:00 Alice Wonder <al...@librelamp.com>: >>>> >>>> On 05/11/2018 01:59 AM, Arvids Godjuks wrote: >>>>> >>>>> 2018-05-10 16:33 GMT+02:00 Niklas Keller <m...@kelunik.com>: >>>>>> >>>>>> Hey, >>>>>> >>>>>>> >>>>>>> I hereby propose to deprecate uniqid(). There have been attempts to >>>>>>> fix >>>>>>> it >>>>>>> ( >>>>>>> https://wiki.php.net/rfc/uniqid), but those were rejected during >>>>>>> discussion, because there's no possible fix without breaking BC. >>>>>>> Instead >>>>>>> of >>>>>>> a subtle BC break, this RFC favors the deprecation and moving >>>>>>> users to >>>>>>> other functions. >>>>>>> >>>>>>> It's to be discussed whether the function should be removed with >>>>>>> PHP 8.0 >>>>>>> or >>>>>>> just deprecated to avoid fully breaking things where it's not >>>>>>> strictly >>>>>>> necessary. A deprecation will probably avoid most new usages, >>>>>>> which is >>>>>>> the >>>>>>> main goal. >>>>>>> >>>>>>> RFC: https://wiki.php.net/rfc/deprecate-uniqid >>>>>>> >>>>>>> Kind Regards, >>>>>>> Niklas >>>>>>> >>>>>>> -- >>>>>>> PHP Internals - PHP Runtime Development Mailing List >>>>>>> To unsubscribe, visit: http://www.php.net/unsub.php >>>>>>> >>>>>>> >>>>>>> Hello, >>>>>>> >>>>>> >>>>>> as a userland user of this function I do disagree with it's outright >>>>>> removal. It has it's uses. >>>>>> What can be done with it is drop the $more_entropy flag and make it >>>>>> generate at least as long strings and use random_bytes under the >>>>>> hood for >>>>>> a >>>>>> better random. >>>>>> It can also adopt a length parameter so you can vary the random >>>>>> part as >>>>>> much as you need it. >>>>>> >>>>>> You don't always need a truly random token - I have a system that uses >>>>>> uniqid to generate tens of thousands tokens per request and it's >>>>>> actually >>>>>> a >>>>>> good thing they are time based at the start of it with a random >>>>>> part at >>>>>> the >>>>>> end (as I said the random part should be improved and get rid of that >>>>>> stupid dot when generating with $more_entropy = true). >>>>>> >>>>>> >>>>>> It seems to me that for your use case, you could just use the time() >>>>> function to get part of your unique id and then use libsodium to >>>>> generated >>>>> a nonce for the "random" part, using sodium's function for increment >>>>> the >>>>> nonce between each use. >>>>> >>>>> Predictable, sure, but your use case says they don't need to be a truly >>>>> random token - just unique (essentially a non-random nonce) but with >>>>> a time >>>>> component. >>>>> >>>>> >>>>> -- >>>>> PHP Internals - PHP Runtime Development Mailing List >>>>> To unsubscribe, visit: http://www.php.net/unsub.php >>>>> >>>>> >>>>> Hello Alice, >>>> >>>> Sure, there is lots I can do about that project, including what you have >>>> described. One thing though - client does not need it or want it or >>>> want's >>>> to pay for that work. That whole project is a poster child for a "side >>>> project on a bare minimum, but done by a competent developer instead >>>> of a >>>> student so it actually works in the long run" >>>> >>>> >>> Tell the client they can use this for free. >>> >>> function compat_uniqid(string $prefix='', bool $more_entropy = false) >>> { >>> static $nonce = null; >>> if(is_null($nonce)) { >>> $nonce = random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES); >>> } >>> $m = microtime(true); >>> $return = sprintf("%8x%05x",floor($m),($m-floor($m))*1000000); >>> if($more_entropy) { >>> sodium_increment($nonce); >>> $x = hexdec(substr(bin2hex($nonce),0,8)); >>> $x = str_pad($x, 12, "0", STR_PAD_LEFT); >>> $return = $return . substr($x, 0, 1) . '.' . substr($x, -8); >>> } >>> return $prefix . $return; >>> } >>> >>> >> slightly better if block >> >> if($more_entropy) { >> sodium_increment($nonce); >> $x = hexdec(substr(bin2hex($nonce),0,12)); >> $return = $return . substr($x, 2, 1) . '.' . substr($x, -8); >> } >> >> Obvious patterns in the "more entropy" but the output in only suppose to >> be unique, not random. >> >> > If you don't need the output to be exact same format, this avoids > collisions and is faster. > > function cryptoUniqid(string $prefix = '', bool $prng = false): string > { > static $nonce = null; > if($prng || is_null($nonce)) { > $nonce = random_bytes(16); > } else { > sodium_increment($nonce); > } > $m = microtime(true); > $return = sprintf("%8x%05x", floor($m), ($m-floor($m))*1000000); > $return = $return . '.' . base64_encode($nonce); > return $prefix . $return; > > } > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > >
Thank you for all the advice Alice :) -- Arvīds Godjuks +371 26 851 664 arvids.godj...@gmail.com Skype: psihius Telegram: @psihius https://t.me/psihius
