Home/ Questions/Q 3312394
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-17T21:59:25+00:00

This question isn’t really a problem looking for a solution, it’s more just a

  • 0

This question isn’t really a problem looking for a solution, it’s more just a matter of simple curiosity. The PHP uniqid function has a more entropy flag, to make the output “more unique”. This got me wondering, just how likely is it for this function to produce the same result more than once when more_entropy is true, versus when it isn’t. In other words, how unique is uniqid when more_entropy is enabled, versus when it is disabled? Are there any drawbacks to having more_entropy enabled all the time?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Update, March 2014:

    Firstly, it is important to note that uniqid is a bit of a misnomer as it doesnt guarantee a unique ID.

    Per the PHP documentation:

    WARNING!

    This function does not create random nor unpredictable string. This
    function must not be used for security purposes. Use cryptographically
    secure random function/generator and cryptographically secure hash
    functions to create unpredictable secure ID.

    And

    This function does not generate cryptographically secure tokens, in
    fact without being passed any additional parameters the return value
    is little different from microtime(). If you need to generate
    cryptographically secure tokens use openssl_random_pseudo_bytes().

    Setting more-entropy to true generates a more unique value, however the execution time is longer (though to a tiny degree), according to the docs:

    If set to TRUE, uniqid() will add additional entropy (using the
    combined linear congruential generator) at the end of the return
    value, which increases the likelihood that the result will be unique.

    Note the line increases the likelihood that the result will be unique and not that is will guarantee uniqueness.

    You can ‘endlessly’ strive for uniqueness, up to a point, and enhance using any number of encryption routines, adding salts and the like- it depends on the purpose.

    I’d recommend looking at the comments on the main PHP topic, notably:

    http://www.php.net/manual/en/function.uniqid.php#96898

    http://www.php.net/manual/en/function.uniqid.php#96549

    http://www.php.net/manual/en/function.uniqid.php#95001

    What I’d recommend is working out why you need uniqueness, is it for security (i.e. to add to an encryption/scrambling routine)? Also, How unique does it need to be? Finally, look at the speed consideration. Suitability will change with the underlying considerations.

    • 0