Hi Kalle, On Thu, Oct 20, 2016 at 5:17 PM, Kalle Sommer Nielsen <ka...@php.net> wrote: > 2016-10-20 9:18 GMT+02:00 Yasuo Ohgaki <yohg...@ohgaki.net>: >> "Do not make assumption for uniqid() output format, entropy >> especially. uniqid() output format may be changed to provide >> reasonably unique ID in future versions." > > Sounds reasonable to me; although I would phrase it a little > differently, something along the lines of: > > The <function>uniquid</function> cannot be relied on to be unique and > there can occur collisions, even with the > <parameter>more_entrophy</parameter> set to &true;.
I added warnings to uniqid() manual recently. It's visible now, could you check this? http://php.net/manual/en/function.uniqid.php Warnings are based on following facts. uniqid(); // without entropy usleep(1) is called to get unique timestamp, but NTP can disturb and uniqid() can result in the same ID. uniqid('', TRUE); // with entropy It's better, but entropy is based on system timestamp and there is no usleep(1), so uniqid() is more sensitive to system clock adjustment by NTP, and uniqid() can result in the same ID. Collision is unlikely, but it not that unlikely with true CSPRNG based entropy. Therefore, I made warning a little strong. With CSPRNG, we may use more gentle warning. IMO. > As for the in future version, although we may do that, I don't think > we should document something that is not in the core yet. What do you > think? Entropy is some random value by definition, so we may tell users "Make no assumption for entropy" at least. IMO. Is this reasonable to you? Regards, -- Yasuo Ohgaki yohg...@ohgaki.net -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
