Re: Extending uniqid() or not?
On Sun, Feb 2, 2014 at 4:35 PM, Martin Jansen <[email protected]> wrote:
> On 02.02.14 05:32, Yasuo Ohgaki wrote:
> > string safe_uniqid([ing $length=64])
> >
> > It generate ID using good RNG such as /dev/urandom, /dev/arandom for
> > UNIXes, openssl RNG for Windows when they are available. It does not use
> > hash function, but simply convert RNG binary data into text. The same
> > algorithm that is used for session ID may be used. (Use
> > hash_bits_per_character=5, since it only contains alphanumeric chars)
> Since
> > it does not use hash, it's fast.
> >
> > Any comments? Any good names?
>
> The documentation for uniqid() is pretty clear about the fact that it's
> not cryptographically secure and recomends openssl_random_pseudo_bytes()
> as a replacement. Shouldn't we just try to come up with sane default
> values for its $length parameter instead of adding yet another new
> function?
>
I added the warning to the doc recently.
I see codes that uses uniqid() as a source of safe unique id generation
using
hash functions which is not secure in fact.
We are better to provide easy to use safe unique ID generation function to
prevent this kind of usage even if user could do in user land. Writing a
portable one is not simple enough.
> string safe_uniqid([ing $length=64])
Sorry, there is typo and option should be descriptive. It should be
string safe_uniqid([int $length_of_returned_unique_id_string=64');
This function is totally different from current uniqid().
I don't like the name. I hope some one think of good name for it.
> P.S. Is anyone working UUID? PostgreSQL is using OSSP's UUID lib, it's
> good
> > for PHP.
> > http://www.postgresql.org/docs/9.2/interactive/uuid-ossp.html
>
> There's http://pecl.php.net/package/uuid.
It uses ext2 UUID. Isn' it only available for linux, is it?
It' a LGPL license also. It's not preferred license for core...
Regards,
--
Yasuo Ohgaki
[email protected]
Thread (29 messages)