Hi all,
uniqid() is producing unique ID for the system which is good for email's
message ID etc. Many users are using uniqid() as secure unique ID which is
very bad thing to do for security.
It may be extend to produce safe unique ID
string uniqid(TRUE) - Returns random ID string which is safe to use
security purposes.
My concern is that uniqid() return both safe and unsafe ID which may not be
good. We may better to have new function, perhaps
string safe_uniqid([ing $length=64])
It generate ID using good RNG such as /dev/urandom, /dev/arandom for
UNIXes, openssl RNG for Windows when they are available. It does not use
hash function, but simply convert RNG binary data into text. The same
algorithm that is used for session ID may be used. (Use
hash_bits_per_character=5, since it only contains alphanumeric chars) Since
it does not use hash, it's fast.
We might be better to use hash even if it's a little slow. This
implementation is affected by RNG vulnerabilities directly
The new function name could be anything,
Too many API is not good, but confusing API is not good also.
Any comments? Any good names?
Regards,
P.S. Is anyone working UUID? PostgreSQL is using OSSP's UUID lib, it's good
for PHP.
http://www.postgresql.org/docs/9.2/interactive/uuid-ossp.html
--
Yasuo Ohgaki
[email protected]