For this purpose, MD5 is just an 'encoding'. As long as the source value that you run the MD5 on is properly random, it can be safely used.
Any random (with a proper algorithm) 128 bit value will do file (either an GUID (as long as it is v4) or just base64 encoded crypto-random byte array, or MD5 on the same array).
You just have to make sure that it cannot be guessed. So mostly you would want to add some sort of invalid-token counter by IP address that blocks the access after certain number of times.
Also you would probably want to add some sort of expiration (like valid for 24 hours) for the code for the same reason.