What is the best way to create a 20 digit random number that is unique

generateCode(31) :rofl:

Well that would be unique alright :wink: (For those that dont get it: 30 characters, 31 to choose without repeating… = infinite loop)

For your edification, there are very strong 4 character passwords when one-time use is a consideration.

Perfect Paper Passwords

compared to a 7e35 possible-combination password, 16 million combinations is weak

y=x^c
z=c^x

Adding 1 to X as a general form, dy < dz when x >= c.
Length of password > variation of charset.

Given that after three failed passwords you cannot enter any more for a minute, that’s 1,576,800 attempts per year.

It could take over 10 years to guess a password. Keep in mind that the password is useless after it’s been used, and that other systems exist to warn about such failed attempts, it is a realistically acceptable situation to live with.

A fair point in context, but it is not true in a general sense; take a zip file password, which can be attempted at several hundred thousand passwords per second. 16 million passwords? About a minute to run all possible passwords. 7e35? 100 sextillion years.

let’s remain then with realistic situations that remain in an appropriate context. There’s little benefit in applying a fully generalised solution that ignores the reality of the situation that it’s being used in.

good idea :slight_smile:

what do you think of the mysql UUID() function?

To be honest, I haven’t used that before :blush:

Lets also entertain the realistic idea that most people who’re visiting this site and just learning PHP don’t think about throttling password attempts when they’re designing their own site, and that most people who’re learning PHP aren’t yet gurus of programming design.

UUID does… a lot of what we did here, actually, but to an extended degree of time (preserving monotonic time in case of daylight savings is something i hadn’t thought of… but [micro]time() takes this into account… doesnt it?)… a timestamp combined with a random.

i guess we also need to ask the original poster if the idea of storing the key in a mysql database is a given, or whether mysql was only mentioned along the way as part of a possible solution

you could, however, if you wanted (because the code is a lot simpler than rolling your own), call mysql from php and have it hand you a uuid – a mysql call doesn’t have to involve a database table

Funny thing is, r937, that comment made me look in the manual again… and look what i found…
uniqid
:rolleyes::rofl:

To get back to the OP’s point, I think we actually need a more general question answered: what are you trying to do? Not what parameters (20 character int, must be unique, etc) do you need to meet, but what are you actually trying to do?

I have a feeling you don’t need what you think you need, and that someone has already solved the problem for you.

I agree with SituationSoap here.

If you want users to not be able to access another user, put security methods in place to make sure they don’t. They should never, ever have to see their database ID in the first place, let alone use a different ID to ‘log in’ through the URL. All you’d have to do is make one mistake (an accidental copy/paste of an url) and someone has just logged in as you. Not to clever, that.

That reduces the chances of a user hijacking another user by stealing their ID from 1/1.845e19 to 0. It also saves on processing.

I ran into a situation where I need to drop a cookie for remember me functionality and immediately thought of this thread. Do you guys think its secure enough to use UUID() for generating the hash to store in a cookie on the users computer to enable automatically logging in? I’ve never used UUID() before and thought it might be the simplest way to create a hash for the cookie. Thoughts?

Sounds like that would be highly susceptible to session hijacking. How would you prevent someone from getting the ID and being able to log in to your system without any credentials?

IMO, ‘Remember Me’ feature is not worth the trouble - sure use it remember the username for the user but certainly nothing beyond that.

Agree with this completely.

Mind if i ask why or how you would do it differently?

Sure, I wouldn’t. :stuck_out_tongue:

In all seriousness though, I’d rather not implement a whole new authentication system and possible security issues just so the user doesn’t have to type their password in again.

Leave the remembering of username/password combos to the user (via their browser).

The effort/benefit ratio sucks.