PHP RFC: Deprecate uniqid()


uniqid(), against all expectations from the name, doesn't produce unique IDs. While there is a sleep() to prevent multiple duplicate IDs in the same process, there's no such guarantee and even a rather high probability of duplicate IDs with more processes or even multiple servers. This is due to uniqid() being time based and adding only insufficient random.


This RFC proposes to emit deprecation warnings for any usage of uniqid(). Current usages should be replaced with either bin2hex(random_bytes(16)) (or any other encoding of choice) or an UUID implementation.

Backward Incompatible Changes

All BC breaks are intentional and outlined in the RFC.

Proposed PHP Version(s)

Deprecation notice in PHP 7.3 and removal in PHP 8.0.

Proposed Voting Choices

Simple yes / no vote with 2/3 majority.

Maybe a second vote for skipping removal in PHP 8.0 and delaying it to a later RFC.

Patches and Tests


rfc/deprecate-uniqid.txt · Last modified: 2018/05/10 14:38 by kelunik