On 05/12/2018 03:46 PM, Yasuo Ohgaki wrote:
On Fri, May 11, 2018 at 9:34 PM, Alice Wonder <[email protected] <mailto:[email protected]>> wrote:slightly better if block if($more_entropy) { sodium_increment($nonce); $x = hexdec(substr(bin2hex($nonce),0,12)); $return = $return . substr($x, 2, 1) . '.' . substr($x, -8); } Obvious patterns in the "more entropy" but the output in only suppose to be unique, not random. The most important issue in current uniqid() is it could have duplicate even with $more_entropy=true, since it has <time_part> + <random based on time> structure. System time could be adjusted backwards by ntp, etc. However changing output by default as follows is enough for it. <time_part> + <random based on CSPRNG>
+ random though is expensive if you have to create many at a time, using an increment when called multiple times on same page requests results in pattern but is less expensive.
So if predictable is okay that's better IMHO and often predictable (with a pattern) is okay.
random based on time isn't necessary. <time part> + <nonce> should be sufficient. -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
