How reliable is uniqid() ??? 1

[southbeach]

I am using uniqid() a lot and heavily relying on it to produce a "unique" string every time.

Am my playing Russian Ru let? I thought of just writing a function and return a unique counter but laziness got the best of me and opted for uniqid() ...

So, should I start editing my code and use my own counter?

 

[jet042]

I don't see any advisories on Secunia or the ISC about it, but the manual does say that creating a hash of the value is more likely to be unique than just using the function itself. I'd suggest using something more random like mt_rand() if this impacts your security.

 

[southbeach]

jet042,

It does not impact my security but it does my data integrity. You see, I am using uniqid() to produce a System Trx ID which I then use to link my tables as unique key.

In my case, I am using one to many or header/detail scenario. So, I figured that this was a safe way to go about obtaining a key which I can use to spread between all affected tables/rows.

Thanks,

 

[jet042]

I see. I'd suggest using a hash of the value returned by uniqid(). SHA1 is probably your best bet, but MD5 will suffice since this is a non-security application. It should be pretty easy to replace all occurrences of uniqid() with sha1(uniqid()), though.

 

[johnwm]

Can someone explain why taking a hash of a number will make it more likely to be unique? It seems that the nature of a hash algorithm is that it will produce exactly the same answer given exactly the same input. If that is the case then any collision of uniqid() will surely produce the same hash?

Or have I missed something simple here?

___________________________________________________________
If you want the best response to a question, please check out FAQ222-2244 first.
'If we're supposed to work in Hex, why have we only got A fingers?'
Drive a Steam Roller
Steam Engine Prints

 

[jet042]

johnwm...you're right. That's what I get for just glancing over the documentation and not thinking about it before replying. The hash will always be the same for the same input. The reason to use a hashing function is to make the output a bit more unpredictable for session security.

If you need a unique identifier or token and you intend to give out that token to the user via the network (i.e. session cookies), it is recommended that you use something along these lines:

This will create a 32 character identifier (a 128 bit hex number) that is extremely difficult to predict.

My bad for the ambiguity.

southbeach, to make sure you get more randomness, I would use the optional "more entropy" parameter as that will take into account electronic "noise" created by the machine as it works. You'd want to benchmark it first, though, as this could really slow down your scripts.

 

[southbeach]

jet042,

You lost me on "benchmark" 8-(

Do you have a link where I can read more about this? I really appreciate your time and effort but I don't want to seem as if I intend to be spoon-fed every bit of information.

Of course, a brief explanation is more than welcome

Thanks!