Hi Yasuo,
On 2 February 2014 04:32, Yasuo Ohgaki <[email protected]> wrote:
> Hi all,
>
> uniqid() is producing unique ID for the system which is good for email's
> message ID etc. Many users are using uniqid() as secure unique ID which is
> very bad thing to do for security.
>
> It may be extend to produce safe unique ID
>
> string uniqid(TRUE) - Returns random ID string which is safe to use
> security purposes.
>
> My concern is that uniqid() return both safe and unsafe ID which may not be
> good. We may better to have new function, perhaps
Mildly off-topic, the function has another outcome aside from any pure
role as a secure ID generator in that it leaks very specific timing
information which could be useful to unfriendly people:
$id = uniqid();
$time = str_split($id, 8);
$sec = hexdec('0x' . $time[0]);
$usec = hexdec('0x' . $time[1]);
echo 'Seconds: ', $sec, PHP_EOL, 'Microseconds: ', $usec, PHP_EOL;
The format is preserved even with additional parameters to the function.
Using the function at all is problematic.
--
Pádraic Brady
http://blog.astrumfutura.com
http://www.survivethedeepend.com
Zend Framework Community Review Team
Zend Framework PHP-FIG Representative