Hey Ben, hey all Am 02.05.20 um 21:13 schrieb Ben Ramsey: >> On May 2, 2020, at 13:57, AllenJB <[email protected]> wrote: >> >> Hi all, >> >> I'd like to discuss deprecating uniqid() >> >> I believe it's dangerously bad a doing "what it says on the tin". New >> developers still reach for it and do not read the warnings on the manual >> page (or if they do, don't fully understand how bad it is). >> >> For older codebases that still rely on it, a userland replacement can be >> easily implemented (and could be published on Packagist). >> >> I noticed there was an RFC [0][1] brought up 2 years ago, but was never >> voted on. Does anyone know why this was? >> >> [0] https://externals.io/message/102097 >> [1] https://wiki.php.net/rfc/deprecate-uniqid >> >> Is there interest in deprecating this function? >> >> If not deprecation, how could it be (further) "improved"? My first thought >> is to make the "more entropy" option enabled by default (the argument could >> remain so that it can be disabled by codebases that rely on the lower length >> and can take the tradeoffs). > > > Instead of deprecating and removing it, would anyone be opposed to replacing > the internals of the function so that it uses `random_bytes()` under the > hood, while all other functionality remains the same?
I'D rather deprecate it and give a clear advice on what to use instead
(i.e. in the docs) than changing the internal behaviour and break code.
As replacement I could think of showing people the way to UUIDs.
As the function itself was never intended for cryptographically secure
values I would not see random_* functions or the like as a replacement.
My 0.02 €
Cheers
Andreas
--
,,,
(o o)
+---------------------------------------------------------ooO-(_)-Ooo-+
| Andreas Heigl |
| mailto:[email protected] N 50°22'59.5" E 08°23'58" |
| http://andreas.heigl.org http://hei.gl/wiFKy7 |
+---------------------------------------------------------------------+
| http://hei.gl/root-ca |
+---------------------------------------------------------------------+
signature.asc
Description: OpenPGP digital signature
