On Sun, Feb 2, 2014 at 6:12 PM, Yasuo Ohgaki <[email protected]> wrote:
> On Sun, Feb 2, 2014 at 4:35 PM, Martin Jansen <[email protected]>
> wrote:
>
> > On 02.02.14 05:32, Yasuo Ohgaki wrote:
> > > string safe_uniqid([ing $length=64])
> > >
> > > It generate ID using good RNG such as /dev/urandom, /dev/arandom for
> > > UNIXes, openssl RNG for Windows when they are available. It does not
> use
> > > hash function, but simply convert RNG binary data into text. The same
> > > algorithm that is used for session ID may be used. (Use
> > > hash_bits_per_character=5, since it only contains alphanumeric chars)
> > Since
> > > it does not use hash, it's fast.
> > >
> > > Any comments? Any good names?
> >
> > The documentation for uniqid() is pretty clear about the fact that it's
> > not cryptographically secure and recomends openssl_random_pseudo_bytes()
> > as a replacement. Shouldn't we just try to come up with sane default
> > values for its $length parameter instead of adding yet another new
> > function?
> >
>
> I added the warning to the doc recently.
>
> I see codes that uses uniqid() as a source of safe unique id generation
> using
> hash functions which is not secure in fact.
>
> We are better to provide easy to use safe unique ID generation function to
> prevent this kind of usage even if user could do in user land. Writing a
> portable one is not simple enough.
>
> > string safe_uniqid([ing $length=64])
>
> Sorry, there is typo and option should be descriptive. It should be
>
> string safe_uniqid([int $length_of_returned_unique_id_string=64');
>
> This function is totally different from current uniqid().
> I don't like the name. I hope some one think of good name for it.
>
> > P.S. Is anyone working UUID? PostgreSQL is using OSSP's UUID lib, it's
> > good
> > > for PHP.
> > > http://www.postgresql.org/docs/9.2/interactive/uuid-ossp.html
> >
> > There's http://pecl.php.net/package/uuid.
>
>
> It uses ext2 UUID. Isn' it only available for linux, is it?
> It' a LGPL license also. It's not preferred license for core...
>
I think it would be good enough to have only uuid v4:
function uuidv4()
{
$data = openssl_random_pseudo_bytes(16); // or whatever
$data[6] = chr(ord($data[6]) & 0x0f | 0x40); // set version to 0010
$data[8] = chr(ord($data[8]) & 0x3f | 0x80); // set bits 6-7 to 10
return vsprintf('%s%s-%s-%s-%s-%s%s%s', str_split(bin2hex($data), 4));
}
It's really just a representation of random data, whereby 6 bits are used
for the actual format.
> Regards,
>
> --
> Yasuo Ohgaki
> [email protected]
>
--
--
Tjerk