On Wed, 18 Aug 2004 17:59:34 -0700, in php.general [EMAIL PROTECTED] (John Holmes) wrote:
>> $token = md5(uniqid(rand(), true)); >> >> .. is a pretty bad idea, since the output could include quotes, >> newlines, low-ascii-characters, thereby messing up the form. >How do you figure that? md5() only returns 0-9 and a-f characters. From the manual: http://php.net/md5 string md5 ( string str [, bool raw_output]) "If the optional raw_output is set to TRUE, then the md5 digest is instead returned in raw binary format with a length of 16." raw_output is set to true, meaning that md5() will not just return a hexdump of the digest, but a raw binary format, which could contain quotes and other special characters. There's about 6% probability of md5 returning (at least) one double quote for a random input :) >> $token = md5(uniqid(rand() )); >> ought to be sufficient - and works with PHP4 :) >Using entropy with uniqid() simply returns a more unique value to md5(), >so what's the difference. Err... the only difference is that I removed the second argument, making md5() return a simple hex-encoded string. -- - Peter Brodersen -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php