php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #47890 Function 'uniqid()' has a design flaw
Submitted: 2009-04-03 16:20 UTC Modified: 2016-10-18 23:12 UTC
Votes:3
Avg. Score:4.3 ± 0.9
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: bernard dot fouche at kuantic dot com Assigned:
Status: Closed Package: *General Issues
PHP Version: master OS: Any
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: bernard dot fouche at kuantic dot com
New email:
PHP Version: OS:

 

 [2009-04-03 16:20 UTC] bernard dot fouche at kuantic dot com
Description:
------------
IMHO 'uniqid()' does not provide any warranty about the returned id being really 'uniq':

- uniqid() just calls 'gettimeofday()' (from php-5.2.9/ext/standard/uniqid.c): there is no warranty that the underlying operating system is able to really count microseconds. May be it counts by chunks of 10us, or 1ms, etc..

- With multi-core CPU and since AFAIK gettimeofday() is not a 'real' system call any more (on Linux) but reads from shared memory updated by the kernel, chances to have more than one process or thread being able to get the same value are much higher than with older hardware and OS implementations.

- NTP may update the system time and whack the microsecond counter at any time.

I think that uniqid() should rely on other information, like the process ID, thread ID, and an internal counter... Sure the programmer can use the 'prefix', but then what is the purpose of this function if the programmer has to take care about these details?

Reproduce code:
---------------
---
From manual page: function.uniqid
---



Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-08-06 08:10 UTC] yohgaki@php.net
-Status: Open +Status: Verified -Package: Feature/Change Request +Package: *General Issues -PHP Version: 5.2.9 +PHP Version: master
 [2013-08-06 08:10 UTC] yohgaki@php.net
It might be good to set more_entropy set to true for next PHP. W/o combined lcg, 
it has too weak uniqueness.
 [2016-10-18 00:16 UTC] yohgaki@php.net
Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src.git;a=commit;h=48f1a17886d874dc90867c669481804de90509e8
Log: Fix bug #47890 #73215 uniqid() should use better random source
 [2016-10-18 00:16 UTC] yohgaki@php.net
-Status: Verified +Status: Closed
 [2016-10-18 10:30 UTC] krakjoe@php.net
Automatic comment on behalf of krakjoe
Revision: http://git.php.net/?p=php-src.git;a=commit;h=8c74be0c52d8d1d9c7304385b3c9c7a1bfb8b873
Log: Revert "Fix bug #47890 #73215 uniqid() should use better random source"
 [2016-10-18 10:30 UTC] krakjoe@php.net
Automatic comment on behalf of krakjoe
Revision: http://git.php.net/?p=php-src.git;a=commit;h=689cf8b2666e0bc9dff5c9216fedbf491890d3da
Log: Revert "Fix bug #47890 #73215 uniqid() should use better random source"
 [2016-10-18 10:31 UTC] krakjoe@php.net
Automatic comment on behalf of krakjoe
Revision: http://git.php.net/?p=php-src.git;a=commit;h=475cb3aa32b8249f6a4e684757da4ab42fff5999
Log: Revert "Fix bug #47890 #73215 uniqid() should use better random source"
 [2016-10-18 12:10 UTC] dmitry@php.net
Automatic comment on behalf of krakjoe
Revision: http://git.php.net/?p=php-src.git;a=commit;h=8c74be0c52d8d1d9c7304385b3c9c7a1bfb8b873
Log: Revert "Fix bug #47890 #73215 uniqid() should use better random source"
 [2016-10-18 12:11 UTC] dmitry@php.net
Automatic comment on behalf of krakjoe
Revision: http://git.php.net/?p=php-src.git;a=commit;h=689cf8b2666e0bc9dff5c9216fedbf491890d3da
Log: Revert "Fix bug #47890 #73215 uniqid() should use better random source"
 [2016-10-18 12:11 UTC] dmitry@php.net
Automatic comment on behalf of krakjoe
Revision: http://git.php.net/?p=php-src.git;a=commit;h=8c74be0c52d8d1d9c7304385b3c9c7a1bfb8b873
Log: Revert "Fix bug #47890 #73215 uniqid() should use better random source"
 [2016-10-18 23:12 UTC] yohgaki@php.net
-Status: Closed +Status: Re-Opened
 [2016-10-25 15:21 UTC] krakjoe@php.net
Automatic comment on behalf of krakjoe
Revision: http://git.php.net/?p=php-src.git;a=commit;h=689cf8b2666e0bc9dff5c9216fedbf491890d3da
Log: Revert "Fix bug #47890 #73215 uniqid() should use better random source"
 [2016-10-25 15:21 UTC] krakjoe@php.net
-Status: Re-Opened +Status: Closed
 [2016-10-25 15:21 UTC] krakjoe@php.net
Automatic comment on behalf of krakjoe
Revision: http://git.php.net/?p=php-src.git;a=commit;h=8c74be0c52d8d1d9c7304385b3c9c7a1bfb8b873
Log: Revert "Fix bug #47890 #73215 uniqid() should use better random source"
 [2016-10-25 15:21 UTC] krakjoe@php.net
Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src.git;a=commit;h=48f1a17886d874dc90867c669481804de90509e8
Log: Fix bug #47890 #73215 uniqid() should use better random source
 [2017-01-12 09:12 UTC] krakjoe@php.net
Automatic comment on behalf of krakjoe
Revision: http://git.php.net/?p=php-src.git;a=commit;h=475cb3aa32b8249f6a4e684757da4ab42fff5999
Log: Revert "Fix bug #47890 #73215 uniqid() should use better random source"
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 21 14:01:29 2024 UTC