rfc:uniqid

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Last revision Both sides next revision
rfc:uniqid [2016/09/12 02:37]
yohgaki Add performance note
rfc:uniqid [2018/03/01 23:16]
carusogabriel Typo "Under Discussion"
Line 4: Line 4:
   * Date Modified: 2016-09-12   * Date Modified: 2016-09-12
   * Author: Yasuo Ohgaki <yohgaki@ohgaki.net>   * Author: Yasuo Ohgaki <yohgaki@ohgaki.net>
-  * Status: Under+  * Status: Under Discussion
   * First Published at: http://wiki.php.net/rfc/uniqid   * First Published at: http://wiki.php.net/rfc/uniqid
  
Line 21: Line 21:
  
   * Current entropy range: About 1 billion   * Current entropy range: About 1 billion
-  * Proposed entropy range: 2^50. About 1048567 billions+  * Proposed entropy range: 2^50 or more. About 1048567 billions.
  
 ===== Proposal ===== ===== Proposal =====
  
 +  * Change "more_entropy" option to int parameter to specify number of entropy chars.
   * Enable "more entropy" option by default.   * Enable "more entropy" option by default.
   * Use php_random_bytes() as entropy source.   * Use php_random_bytes() as entropy source.
  
-==== Note on usage ====+<code php> 
 +  string uniqid([string $prefix [, int $number_of_entropy_chars ]]); 
 +</code> 
 + 
 +Where $number_of_entropy_chars are: 
 + 
 +  * 0 for disable more entropy. (Compatible with current $more_entropy=FALSE) 
 +  * 1 for 10 digits entropy. (Compatible with current $more_entropy=TRUE. About 30 bits entropy) 
 +  * 13 to 255 for number of entropy [0-v]{13,255} chars. (13 chars = 65 bits entropy) 
 + 
 + 
 +== Note on usage ==
  
 Users should never use uniqid() for any crypt related purposes even with this change. uniqid() does not provide crypt secure random value. Users should use random_bytes() for crypt purposes. Users should never use uniqid() for any crypt related purposes even with this change. uniqid() does not provide crypt secure random value. Users should use random_bytes() for crypt purposes.
  
-==== Note on performance ====+== Note on performance ==
  
 usleep(1) is not used when "more entropy" is used. Therefore, default behavior is about 25x faster. usleep(1) is not used when "more entropy" is used. Therefore, default behavior is about 25x faster.
 +
 +== Note on uniqueness ==
 +
 +Although it is unlikely, uniqueness is _not_ guaranteed even with this proposal, but this proposal improves uniqueness a lot. This nature will be documented in the manual.
 +
 +===== Discussions =====
 +
 +== User shouldn't use uniqid(). uniqid() should be deprecated ==
 +
 +It provides good enough unique ID and many users use uniqid() for test scripts. We don't have to deprecate it.
 +
 +== This gives false sense of security ==
 +
 +It mitigates risks of misuses, but users should not misunderstand new uniqid() generates crypt secure random values.
 +
 +
  
 ===== Backward Incompatible Changes ===== ===== Backward Incompatible Changes =====
Line 119: Line 147:
 ===== Rejected Features ===== ===== Rejected Features =====
 Keep this updated with features that were discussed on the mail lists. Keep this updated with features that were discussed on the mail lists.
 +
 +===== ChangeLog =====
 +
 +  * Made 2nd parameter a int 
rfc/uniqid.txt · Last modified: 2021/07/07 09:30 by cmb