PHP RFC: Deprecate uniqid()

• Version: 0.1
• Date: 2017-05-24
• Author: Niklas Keller, me@kelunik.com
• Status: Draft
• First Published at: http://wiki.php.net/rfc/deprecate-uniqid

uniqid(), against all expectations from the name, doesn't produce unique IDs. While there is a sleep() to prevent multiple duplicate IDs in the same process, there's no such guarantee and even a rather high probability of duplicate IDs with more processes or even multiple servers. This is due to uniqid() being time based and adding only insufficient random.

This RFC proposes to emit deprecation warnings for any usage of uniqid(). Current usages should be replaced with either random_bytes() (maybe in combination with bin2hex() or any other encoding of their choice) or an UUID implementation of the developer's choice.

All BC breaks are intentional and outlined in the RFC.

Deprecation notice in PHP 7.2 and removal in PHP 8.0.

Simple yes / no vote with 50%+1 majority.

TBD.