On Fri, May 11, 2018 at 9:34 PM, Alice Wonder <[email protected]> wrote:
> slightly better if block
>
> if($more_entropy) {
> sodium_increment($nonce);
> $x = hexdec(substr(bin2hex($nonce),0,12));
> $return = $return . substr($x, 2, 1) . '.' . substr($x, -8);
> }
>
> Obvious patterns in the "more entropy" but the output in only suppose to
> be unique, not random.
The most important issue in current uniqid() is it could have duplicate
even with $more_entropy=true, since it has
<time_part> + <random based on time>
structure.
System time could be adjusted backwards by ntp, etc.
However changing output by default as follows is enough for it.
<time_part> + <random based on CSPRNG>
uniqid() is one of the most abused function in PHP.
I don't have strong opinion against uniqid() deprecation, though.
Regards,
--
Yasuo Ohgaki
