Generating confirmation code for an email confirmation
https://stackoverflow.com/questions/2088969
-
21-09-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
Using PHP, what are some ways to generate a random confirmation code that can be stored in a DB and be used for email confirmation? I can't for the life of me think of a way to generate a unique number that can be generated from a user's profile. That way I can use a function to make the number small enough to be included in the URL (see this link). Remember, the user has to click on the link to "confirm/activate" his/her account. If I can't use numbers, I have no problems using both letters and numbers.
With that said, I've tried hashing the username along with a "salt" to generate the random code. I know there has to be a better way, so let's hear it.
Solution
$random_hash = md5(uniqid(rand(), true));
That will be 32 alphanumeric characters long and unique. If you want it to be shorter just use substr():
$random_hash = substr(md5(uniqid(rand(), true)), 16, 16); // 16 characters long
Alternative methods to generate random data include:
$random_hash = md5(openssl_random_pseudo_bytes(32));
$random_hash = md5(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM));
// New in PHP7
$random_hash = bin2hex(random_bytes(32));
OTHER TIPS
1) Create an Activated Field in Database
2) After registration the Email is sent
3) Create a Link to include in Email,Use a Unique identifier It would look something like this
Welcome Username Thanks for registering.
Please Click on the Link below to activate your account
domain.com/register.php?uid=100&activate=1
4) Update the Activated Field to true
(source: jackborn.com)
$email_encrypt = urlencode($email);
$special_string = 'maybeyourcompanynamereversed?';
$hash = md5($email_encrypt.$special_string);
Here is the link that is sent to the email that was provided:
http://yourdoman.com/confirm.php?hash='.$hash.'
The actual link will look something like this:
http://yourdomain.com/confirm.php?hash=00413297cc003c03d0f1ffe1cc8445f8
The accepted answer suggests using a hash of PHP's uniqid(). The documentation for uniqid explicitly warns that it does not create "random nor unpredictable strings", and states emphatically that "This function must not be used for security purposes."
If there is any concern over the possibility of a confirmation code being guessed (and that is the whole point of issuing a code) you may wish to use a more random generator such as openssl_random_pseudo_bytes(). You can then use bin2hex() to turn it into a nice alphanumeric. The following looks just like the output of John Conde's answer, but is (supposedly) more random and less guessable:
// generate a 16 byte random hex string
$random_hash = bin2hex(openssl_random_pseudo_bytes(16))
Late addendum: As Oleg Abrazhaev points out, if you want to make sure your system is actually capable of generating cryptographically strong random values at runtime, openssl_random_pseudo_bytes accepts a reference to a bool to report this. Code from phpinspectionsea docs:
$random = openssl_random_pseudo_bytes(32, $isSourceStrong);
if (false === $isSourceStrong || false === $random) {
throw new \RuntimeException('IV generation failed');
}
Then use the generated random value as before:
$random_hash = bin2hex($random)
Decided I need something a little more robust and added functionality. So this is what I came up with.
/**
* Hash Gen
* @author Kyle Coots
* @version 1.0
* Allow you to create a unique hash with a maximum value of 32.
* Hash Gen uses phps substr, md5, uniqid, and rand to generate a unique
* id or hash and allow you to have some added functionality.
*
* @see subtr()
* @see md5()
* @see uniqid()
* @see rand()
*
* You can also supply a hash to be prefixed or appened
* to the hash. hash[optional] is by default appened to the hash
* unless the param prefix[optional] is set to prefix[true].
*
* @param start[optional]
* @param end[optional]
* @param hash[optional]
* @param prefix bool[optional]
*
* @return string a unique string max[32] character
*/
function hash_gen($start = null, $end = 0, $hash = FALSE, $prefix = FALSE){
// start IS set NO hash
if( isset($start, $end) && ($hash == FALSE) ){
$md_hash = substr(md5(uniqid(rand(), true)), $start, $end);
$new_hash = $md_hash;
}else //start IS set WITH hash NOT prefixing
if( isset($start, $end) && ($hash != FALSE) && ($prefix == FALSE) ){
$md_hash = substr(md5(uniqid(rand(), true)), $start, $end);
$new_hash = $md_hash.$hash;
}else //start NOT set WITH hash NOT prefixing
if( !isset($start, $end) && ($hash != FALSE) && ($prefix == FALSE) ){
$md_hash = md5(uniqid(rand(), true));
$new_hash = $md_hash.$hash;
}else //start IS set WITH hash IS prefixing
if( isset($start, $end) && ($hash != FALSE) && ($prefix == TRUE) ){
$md_hash = substr(md5(uniqid(rand(), true)), $start, $end);
$new_hash = $hash.$md_hash;
}else //start NOT set WITH hash IS prefixing
if( !isset($start, $end) && ($hash != FALSE) && ($prefix == TRUE) ){
$md_hash = md5(uniqid(rand(), true));
$new_hash = $hash.$md_hash;
}else{
$new_hash = md5(uniqid(rand(), true));
}
return $new_hash;
}
private function generateCodeSecurity()
{
list($usec, $sec) = explode(" ", microtime());
$micro = usec + $sec;
$hoy = date("Y-m-d");
$str = str_replace('-','',$hoy);
return rand($str, $micro);
}
With this little code, you can generate a random number, with a range of 7 to 11 numbers.
Using php functions:
Rand ();
Microtime ()
$hoy = date("Y-m-d");
$str = str_replace('-','',$hoy);
echo $str;
result date: 20170217
list($usec, $sec) = explode(" ", microtime());
$micro = usec + $sec;
echo $micro;
result micro varaible: 1487340849
Passing parameters in this function:rand ();
rand($str, $micro);
and return;
example:
list($usec, $sec) = explode(" ", microtime());
$micro = usec + $sec;
$hoy = date("Y-m-d");
$str = str_replace('-','',$hoy);
$finalresult = rand($str, $micro);
echo $finalresult;
result: 1297793555
I think it is difficult to repeat this number, for the reason it will never be the same day, nor the same hour, nor the same milliseconds of time.
