Re: Extending uniqid() or not?

From:	Yasuo Ohgaki	Date:	Sun, 02 Feb 2014 22:08:45 +0000
Subject:	Re: Extending uniqid() or not?
References:	1 2	Groups:	php.internals
Request:	Send a blank email to [email protected] to get a copy of this message

Hi Stas,

On Sun, Feb 2, 2014 at 7:33 PM, Stas Malyshev <[email protected]>wrote:

> > It may be extend to produce safe unique ID
> >
> >  string uniqid(TRUE) - Returns random ID string which is safe to use
> > security purposes.
>
> What's wrong with mcrypt_create_iv() which exists specifically for the
> purpose of generating secure random string?
>

User may use it. IV should be random bytes and it can be used as
secure source for hash. I does almost the same thing that I would
like to do. Issues are

 - it does not auto detect RNG and use /dev/random by default
 - it does not support /dev/arandom
 - it uses php_rand() to create random bytes if source option is not RANDOM
or URANDOM
 - it is not an available function by default...

1st issue is not a issue actually. I think this is good that it uses
/dev/random by default
even if it may block script.  As a crypt module, it should use most secure
source by default. We may improve mcrypt_create_iv() a little by raising
E_NOTICE
error when user set source other than RANDOM or URANDOM, and add ARANDOM
as a source.

Even though mcrypt_create_iv() good enough for it's original purpose, it's
not good as
a general (fool proof) method for generating random bytes as it can block
script execution.

My question is if we should extend uniqid() or add new function that
actually
generates safe ID string. We may add more description to uniqid() page,
mcrypt and
openssl manual page. This is valid option also.

Do you prefer documentation rather than extending uniqid() or new function?


> > P.S. Is anyone working UUID? PostgreSQL is using OSSP's UUID lib, it's
> good
> > for PHP.
> > http://www.postgresql.org/docs/9.2/interactive/uuid-ossp.html
>
> There's uuid extension for PHP as far as I can see:
>
> http://ossp-uuid.sourcearchive.com/documentation/1.6.2-1ubuntu2/php_2uuid_8c_source.html


Thank you. I didn't know this.
It provides raw API to OSSP UUID. It's sufficient while it may be better
to provide more specific API like PostgreSQL. Like mcrypt and openssl,
it does not provide API that returns the result by single function call.
It would be better if it returns result (UUID string) by a function call.
I hope some one writes such module.

Regards,

--
Yasuo Ohgaki
[email protected]


   

Thread (29 messages)

• Yasuo OhgakiSun, 02 Feb 2014 04:32:21 +0000
  • Martin JansenSun, 02 Feb 2014 07:35:46 +0000
    • Yasuo OhgakiSun, 02 Feb 2014 10:12:01 +0000
      • Pierre JoyeSun, 02 Feb 2014 10:27:27 +0000
      • Tjerk MeestersSun, 02 Feb 2014 23:55:04 +0000
        • Yasuo OhgakiMon, 03 Feb 2014 01:13:45 +0000
          • Yasuo OhgakiMon, 03 Feb 2014 01:33:48 +0000
          • Tjerk MeestersMon, 03 Feb 2014 04:59:12 +0000
            • Yasuo OhgakiMon, 03 Feb 2014 05:08:24 +0000
            • Pierre JoyeMon, 03 Feb 2014 06:25:20 +0000
              • Yasuo OhgakiMon, 03 Feb 2014 07:20:27 +0000
              • Tjerk MeestersMon, 03 Feb 2014 07:45:32 +0000
                • Pierre JoyeMon, 03 Feb 2014 08:00:15 +0000
  • Stas MalyshevSun, 02 Feb 2014 10:33:00 +0000
    • Yasuo OhgakiSun, 02 Feb 2014 22:08:45 +0000
      • Arvids GodjuksSun, 02 Feb 2014 22:41:14 +0000
        • Yasuo OhgakiSun, 02 Feb 2014 22:51:03 +0000
      • Yasuo OhgakiSun, 02 Feb 2014 22:46:03 +0000
        • Yasuo OhgakiMon, 03 Feb 2014 01:26:17 +0000
      • Pierre JoyeSun, 02 Feb 2014 22:59:09 +0000
      • Stas MalyshevSun, 02 Feb 2014 23:02:29 +0000
        • Yasuo OhgakiSun, 02 Feb 2014 23:07:09 +0000
          • Stas MalyshevSun, 02 Feb 2014 23:33:14 +0000
  • Lester CaineSun, 02 Feb 2014 13:14:08 +0000
  • Derick RethansMon, 03 Feb 2014 10:08:19 +0000
    • Yasuo OhgakiMon, 03 Feb 2014 21:25:38 +0000
  • Pádraic BradyMon, 03 Feb 2014 11:48:52 +0000
• Andrey AndreevMon, 03 Feb 2014 08:13:26 +0000Re: Extending uniqid() or not?
  • Stas MalyshevMon, 03 Feb 2014 08:18:49 +0000