uniqid() in PHP generates a unique ID based on the current timestamp in microseconds. Is that really a foolproof way to generate a unique ID?
Even assuming there's a single user running a single script with a loop generating a timestamp in microseconds, can there still really be a theoretical guarantee that it's unqiue? And in practice, is the likelihood completely negligible?
For clarity, say your loop is nothing more than this:
foreach($things as $thing){
var_dump(microtime());
}
is there any theoretical chance it might not be unique and, if so, how realistic is it in practice?
Microsecond based ids are only guaranteed to be unique within limits. A single threaded scripts on a single computer is probably pretty safe in this regard. However, as soon as you start talking about parallel execution, be that simply on multiple CPUs within the same machine or especially across multiple machines, all bets are off.
So it depends on what you want to use this id for. If you're just using it to generate an id which is used only within the same script, it's probably safe enough. For example:
<?php $randomId = uniqid(); ?>
<div id="<?php echo $randomId; ?>"></div>
<script>
var div = document.getElementById('<?php echo $randomId; ?>');
...
</script>
You very likely won't encounter any problems here with this limited use.
However, if you start generating file names using uniqid or other such uses which are shared with other external scripts, I wouldn't rely on it. For filenames, using a hash based on the file contents may be a good idea. For general purpose decentralised randomly generated ids, UUIDs are a good fit (because they've been designed for this purpose).