I'm using rand() in some of my own code, and I was surprised to see that it was still producing duplicate results for separate instances on a system running 5.2.9. The rand() manpage says it is self-seeding since PHP 4.2.0. Perhaps those instances ran within a second of each other and the "random" seed for srand() was nothing more than the Unix epoch time? Ick.
I will switch to mt_rand() for guid creation in my code. Once the switch to mt_rand() is made, though, I don't see the value in hashing something that is already a random key, or generating a random key that is unnecessarily long. 16 hex digits ought to be well beyond statistically impractical to guess, no? I do see this for mt_srand() (not srand()): "Since 5.2.1 The Mersenne Twister implementation in PHP now uses a new seeding algorithm by Richard Wagner. Identical seeds no longer produce the same sequence of values they did in previous versions. This behavior is not expected to change again, but it is considered unsafe to rely upon it nonetheless." Sounds like it should indeed be safe for Symfony, since modern Symfony requires at least PHP 5.2.4 to play. On Mon, Jul 5, 2010 at 7:04 AM, Laurent Bachelier <[email protected]> wrote: > sfDoctrineGuardPlugin looks pretty much abandonned to me — the trunk > has many issues which made me go back to a stable version. > Even security issues[1] don't seem to interest its developers. > I would suggest using doAuthPlugin[2] instead. > > [1] http://trac.symfony-project.org/ticket/7018 > [2] http://www.symfony-project.org/plugins/doAuthPlugin > > On 1 juil, 00:08, Tom Boutell <[email protected]> wrote: >> There haven't been any commits on sfDoctrineGuardPlugin's trunk for a >> few months. The trunk is significantly different, with new features >> and schema changes. We think it makes sense to use it for a >> longer-term client project in progress, but I'm wondering if there is >> any timeline for releasing it. Has it been swept aside by Symfony 2.0 >> development? We could live with that, but it would really help our >> planning to know one way or the other. >> >> Thanks! >> >> -- >> Tom Boutell >> P'unk Avenue >> 215 755 1330 >> punkave.com >> window.punkave.com > > -- > If you want to report a vulnerability issue on symfony, please send it to > security at symfony-project.com > > You received this message because you are subscribed to the Google > Groups "symfony developers" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected] > For more options, visit this group at > http://groups.google.com/group/symfony-devs?hl=en > -- Tom Boutell P'unk Avenue 215 755 1330 punkave.com window.punkave.com -- If you want to report a vulnerability issue on symfony, please send it to security at symfony-project.com You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en
