This is an old revision of the document!

PHP RFC: Deprecate uniqid()


uniqid(), against all expectations from the name, doesn't produce unique IDs. While there is a sleep() to prevent multiple duplicate IDs in the same process, there's no such guarantee and even a rather high probability of duplicate IDs with more processes or even multiple servers. This is due to uniqid() being time based and adding only insufficient random.


This RFC proposes to emit deprecation warnings for any usage of uniqid(). Current usages should be replaced with either random_bytes() (maybe in combination with bin2hex() or any other encoding of their choice) or an UUID implementation of the developer's choice.

Backward Incompatible Changes

All BC breaks are intentional and outlined in the RFC.

Proposed PHP Version(s)

Deprecation notice in PHP 7.2 and removal in PHP 8.0.

Proposed Voting Choices

Simple yes / no vote with 50%+1 majority.

Patches and Tests


rfc/deprecate-uniqid.1495626485.txt.gz · Last modified: 2017/09/22 13:28 (external edit)