Re: Request #65501 uniqid(): More entropy parameter should be true by default
On Thu, Aug 22, 2013 at 10:23 PM, Leigh <[email protected]> wrote:
> On 22 August 2013 13:39, Sebastian Krebs <[email protected]> wrote:
>
>> Tbh I don't get the real problem with the _current_ behaviour. Who need
>> the
>> entropy, can set it as second parameter and I am not sure, if it is wise
>> to
>> use uniqid() for _security purposes_.
>>
>
> It's absolutely not wise to use it for anything security related, the
> purpose of the function is simply to provide a unique value within a
> system, not a random value, not an unpredictable value.
>
I agree.
However, I suppose there are many applications that rely on uniqid() for
critical features like payment or authentication.
We need better function as basic feature of PHP. unique_hash() or
hash_unique() might be good. UUID works and is much better but generating
unique hash just like session ID is trivial to implement.
Any comments on this?
--
Yasuo Ohgaki
[email protected]
Thread (19 messages)