Hi Derick,
On Mon, Feb 3, 2014 at 7:08 PM, Derick Rethans <[email protected]> wrote:
> > uniqid() is producing unique ID for the system which is good for email's
> > message ID etc. Many users are using uniqid() as secure unique ID which
> is
> > very bad thing to do for security.
> >
> > It may be extend to produce safe unique ID
> >
> > string uniqid(TRUE) - Returns random ID string which is safe to use
> > security purposes.
>
> I have always been of the opinion that function's internal workings
> should not be affected by an option like this.
To be honest, I don't like it neither :) That's the reason why I did not
write RFC for it.
> > My concern is that uniqid() return both safe and unsafe ID which may
> > not be good. We may better to have new function, perhaps
> >
> > string safe_uniqid([ing $length=64])
>
> Yes, I agree - but we should not make the mistake of calling the
> function "safe_" ... firstly because it reminds me of "safe_mode", but
> more importantly is that *we* still can't guarantee it's safe. The
> underlaying RNG sources are not under out control.
I agree. The name is stupid ;)
I would like to have 'default' secure ID generator which we do not have
currently. This is my point.
Regards,
--
Yasuo Ohgaki
[email protected]