current community

your communities

more stack exchange communities

company blog
Stack Exchange Inbox Reputation and Badges
tour help
Join the Stack Overflow Community
Stack Overflow is a community of 6.4 million programmers, just like you, helping each other.
Join them; it only takes a minute:
Sign up
up vote 191 down vote favorite
115

How would it be possible to generate a random, unique string using numbers and letters for use in a verify link? Like when you create an account on a website, and it sends you an email with a link, and you have to click that link in order to verify your account...yeah...one of those.

How can I generate one of those using PHP?

Update: Just remembered about uniqid(). It's a PHP function that generates a unique identifier based on the current time in microseconds. I think I'll use that.

share|improve this question
    
All you need are strings and uniformly distributed random numbers. – Artelius Dec 4 '09 at 10:52
7  
Hey Andrew, you should choose Scott as the correct answer. Scott is using OpenSSL's cryptographically secure psudo-random number generator (CSPRNG) which will choose the most secure source of entropy based on your platform. – rook Sep 18 '13 at 19:50
1  
Anyone reading this after 2015, please, please look here: paragonie.com/blog/2015/07/… Most top answers are flawed more or less... – rugk Oct 8 at 20:30

19 Answers 19

up vote 154 down vote accepted

Security Notice: This solution should not be used in situations where the quality of your randomness can affect the security of an application. In particular, rand() and uniqid() are not cryptographically secure random number generators. See Scott's answer for a secure alternative.

If you do not need it to be absolutely unique over time:

md5(uniqid(rand(), true))

Otherwise (given you have already determined a unique login for your user):

md5(uniqid($your_user_login, true))
share|improve this answer
67  
Both methods do not guarantee uniqueness - length of the input of the md5 function is greater than length of its output and according to the en.wikipedia.org/wiki/Pigeonhole_principle the collision is guaranteed. On the other hand, the greater the population relying on hashes to achieve the "unique" id, the greater the probability of occurring at least one collision (see en.wikipedia.org/wiki/Birthday_problem). The probability may be tiny for most of solutions but it still exists. – Dariusz Walczak Jul 14 '11 at 12:30
9  
This is not a secure method of generating random values. See Scott's answer. – rook Sep 18 '13 at 19:51
3  
For email confirmations that expire relatively soon, I think the tiny possibility that one person might one day confirm someone else's email is a negligible risk. But you could always check if the token already exists in the DB after creating it and just pick a new one if that is the case. However, the time you spend writing that snippet of code is likely wasted as it will most likely never be run. – Andrew May 26 '14 at 21:10
    
Do note that md5 returns hexadecimal values, meaning the character set is limited to [0-9] and [a-f]. – Thijs Riezebeek May 15 '15 at 16:59
1  
md5 can have collisions, you have just ruined uniqid advantage – user151496 Sep 28 at 12:42
up vote 270 down vote

I was just looking into how to solve this same problem, but I also want my function to create a token that can be used for password retrieval as well. This means that I need to limit the ability of the token to be guessed. Because uniqid is based on the time, and according to php.net "the return value is little different from microtime()", uniqid does not meet the criteria. PHP recommends using openssl_random_pseudo_bytes() instead to generate cryptographically secure tokens.

A quick, short and to the point answer is:

bin2hex(openssl_random_pseudo_bytes($bytes))

which will generate a random string of alphanumeric characters of length = $bytes * 2. Unfortunately this only has an alphabet of [a-f][0-9], but it works.

Below is the strongest function I could make that satisfies the criteria (This is an implemented version of Erik's answer).

function crypto_rand_secure($min, $max)
{
    $range = $max - $min;
    if ($range < 1) return $min; // not so random...
    $log = ceil(log($range, 2));
    $bytes = (int) ($log / 8) + 1; // length in bytes
    $bits = (int) $log + 1; // length in bits
    $filter = (int) (1 << $bits) - 1; // set all lower bits to 1
    do {
        $rnd = hexdec(bin2hex(openssl_random_pseudo_bytes($bytes)));
        $rnd = $rnd & $filter; // discard irrelevant bits
    } while ($rnd > $range);
    return $min + $rnd;
}

function getToken($length)
{
    $token = "";
    $codeAlphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
    $codeAlphabet.= "abcdefghijklmnopqrstuvwxyz";
    $codeAlphabet.= "0123456789";
    $max = strlen($codeAlphabet); // edited

    for ($i=0; $i < $length; $i++) {
        $token .= $codeAlphabet[crypto_rand_secure(0, $max-1)];
    }

    return $token;
}

crypto_rand_secure($min, $max) works as a drop in replacement for rand() or mt_rand. It uses openssl_random_pseudo_bytes to help create a random number between $min and $max.

getToken($length) creates an alphabet to use within the token and then creates a string of length $length.

EDIT: I neglected to cite source - http://us1.php.net/manual/en/function.openssl-random-pseudo-bytes.php#104322

EDIT (PHP7): With the release of PHP7, the standard library now has two new functions that can replace/improve/simplify the crypto_rand_secure function above. random_bytes($length) and random_int($min, $max)

http://php.net/manual/en/function.random-bytes.php

http://php.net/manual/en/function.random-int.php

share|improve this answer
2  
Agreed. Plaintext password storage is awful! (I use blowfish.) But after the token is generated it allows the holder of the token to reset the password, so the token is password equivalent while it is valid (and is treated as such). – Scott May 8 '13 at 1:44
14  
Hey, I combined your excellent code with the convenient Kohana Text::random() method functionality and created this gist: gist.github.com/raveren/5555297 – Raveren May 10 '13 at 15:51
5  
Perfect! I tested it with 10 chars as length. 100000 tokens and still no duplicates! – Sharpless512 Feb 26 '14 at 8:13
2  
I used this process and found it super slow. With a length of 36 it timed out on the dev server. With a length of 24 it still took around 30 seconds. Not sure what I did wrong but it was too slow for me and I opted for another solution. – Shane Apr 17 '14 at 1:25
2  
You can also use base64_encode instead of bin2hex to get a shorter string with larger alphabet. – erjiang May 30 '14 at 13:57
up vote 58 down vote

Object-oriented version of the most up-voted solution

I've created an object-oriented solution based on Scott's answer:

<?php

namespace Utils;

/**
 * Class RandomStringGenerator
 * @package Utils
 *
 * Solution taken from here:
 * http://stackoverflow.com/a/13733588/1056679
 */
class RandomStringGenerator
{
    /** @var string */
    protected $alphabet;

    /** @var int */
    protected $alphabetLength;


    /**
     * @param string $alphabet
     */
    public function __construct($alphabet = '')
    {
        if ('' !== $alphabet) {
            $this->setAlphabet($alphabet);
        } else {
            $this->setAlphabet(
                  implode(range('a', 'z'))
                . implode(range('A', 'Z'))
                . implode(range(0, 9))
            );
        }
    }

    /**
     * @param string $alphabet
     */
    public function setAlphabet($alphabet)
    {
        $this->alphabet = $alphabet;
        $this->alphabetLength = strlen($alphabet);
    }

    /**
     * @param int $length
     * @return string
     */
    public function generate($length)
    {
        $token = '';

        for ($i = 0; $i < $length; $i++) {
            $randomKey = $this->getRandomInteger(0, $this->alphabetLength);
            $token .= $this->alphabet[$randomKey];
        }

        return $token;
    }

    /**
     * @param int $min
     * @param int $max
     * @return int
     */
    protected function getRandomInteger($min, $max)
    {
        $range = ($max - $min);

        if ($range < 0) {
            // Not so random...
            return $min;
        }

        $log = log($range, 2);

        // Length in bytes.
        $bytes = (int) ($log / 8) + 1;

        // Length in bits.
        $bits = (int) $log + 1;

        // Set all lower bits to 1.
        $filter = (int) (1 << $bits) - 1;

        do {
            $rnd = hexdec(bin2hex(openssl_random_pseudo_bytes($bytes)));

            // Discard irrelevant bits.
            $rnd = $rnd & $filter;

        } while ($rnd >= $range);

        return ($min + $rnd);
    }
}

Usage

<?php

use Utils\RandomStringGenerator;

// Create new instance of generator class.
$generator = new RandomStringGenerator;

// Set token length.
$tokenLength = 32;

// Call method to generate random string.
$token = $generator->generate($tokenLength);

Custom alphabet

You can use custom alphabet if required. Just pass a string with supported chars to the constructor or setter:

<?php

$customAlphabet = '0123456789ABCDEF';

// Set initial alphabet.
$generator = new RandomStringGenerator($customAlphabet);

// Change alphabet whenever needed.
$generator->setAlphabet($customAlphabet);

Here's the output samples

SRniGU2sRQb2K1ylXKnWwZr4HrtdRgrM
q1sRUjNq1K9rG905aneFzyD5IcqD4dlC
I0euIWffrURLKCCJZ5PQFcNUCto6cQfD
AKwPJMEM5ytgJyJyGqoD5FQwxv82YvMr
duoRF6gAawNOEQRICnOUNYmStWmOpEgS
sdHUkEn4565AJoTtkc8EqJ6cC4MLEHUx
eVywMdYXczuZmHaJ50nIVQjOidEVkVna
baJGt7cdLDbIxMctLsEBWgAw5BByP5V0
iqT0B2obq3oerbeXkDVLjZrrLheW4d8f
OUQYCny6tj2TYDlTuu1KsnUyaLkeObwa

I hope it will help someone. Cheers!

share|improve this answer
    
I'm sorry but how do I run this thing? I did $obj = new RandomStringGenerator; but which method should I called? Thank you. – sg552 Oct 1 '14 at 16:41
    
@sg552, you should call generate method as in example above. Just pass an integer to it to specify length of the resulting string. – Slava Fomin II Dec 2 '14 at 8:38
    
Thanks it works for me but Custom Alphabet didn't. I got empty output when I echo. Anyway I'm not even sure what's the use of 2nd example Custom Alphabet so I think I just stay with the first example. Thanks. – sg552 Dec 3 '14 at 21:24
    
Nice, but pretty overkill in most scenarios, unless your project heavily relies on randomly generated codes – mightyspaj May 8 '15 at 11:47
    
yes nice but overkill, especially considering it is pretty much deprecated now for php 5.7 – Andrew Mar 21 at 17:30
up vote 22 down vote

This function will generate a random key using numbers and letters:

function random_string($length) {
    $key = '';
    $keys = array_merge(range(0, 9), range('a', 'z'));

    for ($i = 0; $i < $length; $i++) {
        $key .= $keys[array_rand($keys)];
    }

    return $key;
}

echo random_string(50);

Example output:

zsd16xzv3jsytnp87tk7ygv73k8zmr0ekh6ly7mxaeyeh46oe8
share|improve this answer
2  
After a while you get to the same numbers – Sharpless512 Feb 25 '14 at 15:31
    
This isn't fully random because it will never have the same chacater more than once. – EricP Dec 19 '14 at 17:32
up vote 8 down vote

I use this one-liner:

base64_encode(openssl_random_pseudo_bytes(3 * ($length >> 2)));

where length is the length of the desired string (divisible by 4, otherwise it gets rounded down to the nearest number divisible by 4)

share|improve this answer
5  
It doesn't always return alphanumeric characters only. It can contain characters like == – Awal Garg Oct 26 '14 at 8:15
up vote 7 down vote
  1. Generate a random number using your favourite random-number generator
  2. Multiply and divide it to get a number matching the number of characters in your code alphabet
  3. Get the item at that index in your code alphabet.
  4. Repeat from 1) until you have the length you want

e.g (in pseudo code)

int myInt = random(0, numcharacters)
char[] codealphabet = 'ABCDEF12345'
char random = codealphabet[i]
repeat until long enough
share|improve this answer
up vote 4 down vote

Here is ultimate unique id generator for you. made by me.

<?php
$d=date ("d");
$m=date ("m");
$y=date ("Y");
$t=time();
$dmt=$d+$m+$y+$t;    
$ran= rand(0,10000000);
$dmtran= $dmt+$ran;
$un=  uniqid();
$dmtun = $dmt.$un;
$mdun = md5($dmtran.$un);
$sort=substr($mdun, 16); // if you want sort length code.

echo $mdun;
?>

you can echo any 'var' for your id as you like. but $mdun is better, you can replace md5 to sha1 for better code but that will be very long which may you dont need.

Thank you.

share|improve this answer
1  
In this case randomness is guaranteed by random written code, right? – Daniel Kucal Jan 16 at 14:27
1  
yeah, this is kind of "random" because it's non standard, obscure code. This makes it difficult to predict ... but not actually it uses insecure parts to generate a random number. so the result is technically not random or secure. – Philipp Jul 5 at 18:06
up vote 2 down vote

You can use UUID(Universally Unique Identifier), it can be used for any purpose, from user authentication string to payment transaction id.

A UUID is a 16-octet (128-bit) number. In its canonical form, a UUID is represented by 32 hexadecimal digits, displayed in five groups separated by hyphens, in the form 8-4-4-4-12 for a total of 36 characters (32 alphanumeric characters and four hyphens).

function generate_uuid() {
    return sprintf( '%04x%04x-%04x-%04x-%04x-%04x%04x%04x',
        mt_rand( 0, 0xffff ), mt_rand( 0, 0xffff ),
        mt_rand( 0, 0xffff ),
        mt_rand( 0, 0x0C2f ) | 0x4000,
        mt_rand( 0, 0x3fff ) | 0x8000,
        mt_rand( 0, 0x2Aff ), mt_rand( 0, 0xffD3 ), mt_rand( 0, 0xff4B )
    );

}

//calling funtion

$transationID = generate_uuid();

some example outputs will be like:

E302D66D-87E3-4450-8CB6-17531895BF14
22D288BC-7289-442B-BEEA-286777D559F2
51B4DE29-3B71-4FD2-9E6C-071703E1FF31
3777C8C6-9FF5-4C78-AAA2-08A47F555E81
54B91C72-2CF4-4501-A6E9-02A60DCBAE4C
60F75C7C-1AE3-417B-82C8-14D456542CD7
8DE0168D-01D3-4502-9E59-10D665CEBCB2

hope it helps someone in future :)

share|improve this answer
up vote 1 down vote 
function random_string($length = 8) {
    $alphabets = range('A','Z');
    $numbers = range('0','9');
    $additional_characters = array('_','=');
    $final_array = array_merge($alphabets,$numbers,$additional_characters);
       while($length--) {
      $key = array_rand($final_array);

      $password .= $final_array[$key];
                        }
  if (preg_match('/[A-Za-z]/', $password) && preg_match('/[0-9]/', $password))
    {
     return $password;
    }else{
    return  random_string();
    }

 }
share|improve this answer
up vote 0 down vote

Scott, yes you are very write and good solution! Thanks.

I am also required to generate unique API token for my each user. Following is my approach, i used user information (Userid and Username):

public function generateUniqueToken($userid, $username){

        $rand = mt_rand(100,999);
    $md5 = md5($userid.'!(&^ 532567_465 ///'.$username);

    $md53 = substr($md5,0,3);
    $md5_remaining = substr($md5,3);

    $md5 = $md53. $rand. $userid. $md5_remaining;

    return $md5;
}

Please have a look and let me know if any improvement i can do. Thanks

share|improve this answer
up vote 0 down vote

after reading previous examples I came up with this:

protected static $nonce_length = 32;

public static function getNonce()
{
    $chars = array();
    for ($i = 0; $i < 10; $i++)
        $chars = array_merge($chars, range(0, 9), range('A', 'Z'));
    shuffle($chars);
    $start = mt_rand(0, count($chars) - self::$nonce_length);
    return substr(join('', $chars), $start, self::$nonce_length);
}

I duplicate 10 times the array[0-9,A-Z] and shuffle the elements, after I get a random start point for substr() to be more 'creative' :) you can add [a-z] and other elements to array, duplicate more or less, be more creative than me

share|improve this answer
up vote 0 down vote 
function random($length)
{
    $bytes = openssl_random_pseudo_bytes($length * 2);
    return substr(str_replace(array('/', '+', '='), '', base64_encode($bytes)), 0, $length);
}
share|improve this answer
1  
+1 for using a CSPRNG, -1 for not guaranteeing the output length will be equal to $length. In edge cases, (i.e. a string full of / and +) it can fail. I would put it in a loop. :) – Scott Arciszewski Aug 13 '15 at 15:42
up vote 0 down vote

I like to use hash keys when dealing verification links. I would recommend using the microtime and hashing that using MD5 since there should be no reason why the keys should be the same since it hashes based off of the microtime.

  1. $key = md5(rand());
  2. $key = md5(microtime());
share|improve this answer
up vote 0 down vote

You can use this code, I hope it will be helpful for you.

function rand_code($len)
{
 $min_lenght= 0;
 $max_lenght = 100;
 $bigL = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
 $smallL = "abcdefghijklmnopqrstuvwxyz";
 $number = "0123456789";
 $bigB = str_shuffle($bigL);
 $smallS = str_shuffle($smallL);
 $numberS = str_shuffle($number);
 $subA = substr($bigB,0,5);
 $subB = substr($bigB,6,5);
 $subC = substr($bigB,10,5);
 $subD = substr($smallS,0,5);
 $subE = substr($smallS,6,5);
 $subF = substr($smallS,10,5);
 $subG = substr($numberS,0,5);
 $subH = substr($numberS,6,5);
 $subI = substr($numberS,10,5);
 $RandCode1 = str_shuffle($subA.$subD.$subB.$subF.$subC.$subE);
 $RandCode2 = str_shuffle($RandCode1);
 $RandCode = $RandCode1.$RandCode2;
 if ($len>$min_lenght && $len<$max_lenght)
 {
 $CodeEX = substr($RandCode,0,$len);
 }
 else
 {
 $CodeEX = $RandCode;
 }
 return $CodeEX;
}

Details about Random code generator in PHP

share|improve this answer
up vote 0 down vote

Simplifying Scotts code above by removing unnecessary loops which is slowing down badly and does not make it any more secure than calling openssl_random_pseudo_bytes just once

function crypto_rand_secure($min, $max)
{
 $range = $max - $min;
 if ($range < 1) return $min; // not so random...
 $log = ceil(log($range, 2));
 $bytes = (int) ($log / 8) + 1; // length in bytes
 $rnd = hexdec(bin2hex(openssl_random_pseudo_bytes($bytes)));
 return $min + $rnd%$range;
}

function getToken($length)
{
 return bin2hex(openssl_random_pseudo_bytes($length)
}
share|improve this answer
    
Unfortunately, I cannot agree with you that this is an appropriate simplification of the crypto_rand_secure function. The loop is necessary to avoid modulo bias that occurs when you take the result of a randomly generated number and then mod it by a number that does divide the range. en.wikipedia.org/wiki/Fisher%E2%80%93Yates_shuffle#Modulo_bi‌​as. By using a loop to throw out any numbers outside the range and selecting a new number, it avoids this bias. stackoverflow.com/questions/10984974/… – Scott Jun 2 at 12:44
    
@Scott, that post is about rand(). However in this case, it's already taken care by openssl_random_pseudo_bytes so loop in unnecessary. – Yusuf Jun 2 at 13:53
    
gist.github.com/anonymous/87e3ae6fd3320447f46b973e75c2ea85 - Please run this script. You will see that the distribution of the results are not random. Numbers between 0-55 have a higher occurrence than numbers between 56-100. openssl is not causing this, it is because of modulo bias in your return statement. 100(range) does not divide 255(1 byte) evenly and causes these results. My biggest issue with your answer is that you state that the function is as secure as using a loop, which is false. Your implementation of crypto_rand_secure is not cryptographically secure and is misleading. – Scott Jun 2 at 15:08
    
@Scott, we are digressing here, it's not about last return statement, it can also be progressively calculated from the return value of openssl_random_pseudo_bytes without using modulo. The point I am making is that the loop is unnecessary once openssl_random_pseudo_bytes returns the random bytes. By making loop, you are not making it more secure, just making it slow. – Yusuf Jun 2 at 16:13
    
This answer propagates bad information. You are correct that the loop does not make openssl more secure, but more importantly it is not making it less secure, this answer does. The code above takes a perfectly good random number and mangles it by biasing it towards lower numbers. If you put a disclaimer on your answer stating that it is faster(by removing the loop) but it is not a CSPRNG it would resolve this issue. Please, for the love of crypto, let users know that the output of this function could be biased and is not an equivalent solution. The loop is not just there to annoy you. – Scott Jun 2 at 17:44
up vote 0 down vote

I use 

sha1(time() . $user->id)

result example:

f9a017798630e2e7f9b937559baa95d7e448a098

share|improve this answer
up vote -1 down vote

I believe the problem with all the existing ideas is that they are probably unique, but not definitely unique (as pointed out in Dariusz Walczak's reply to loletech). I have a solution that actually is unique. It requires that your script have some sort of memory. For me this is a SQL database. You could also simply write to a file somewhere. There are two implementations:

First method: have TWO fields rather than 1 that provide uniqueness. The first field is an ID number that is not random but is unique (The first ID is 1, the second 2...). If you are using SQL, just define the ID field with the AUTO_INCREMENT property. The second field is not unique but is random. This can be generated with any of the other techniques people have already mentioned. Scott's idea was good, but md5 is convenient and probably good enough for most purposes:

$random_token = md5($_SERVER['HTTP_USER_AGENT'] . time());

Second method: Basically the same idea, but initially pick a maximum number of strings that will ever be generated. This could just be a really big number like a trillion. Then do the same thing, generate an ID, but zero pad it so that all IDs are the same number of digits. Then just concatenate the ID with the random string. It will be random enough for most purposes, but the ID section will ensure that it is also unique.

share|improve this answer
up vote -1 down vote

Here is what I use:

md5(time() . rand());    
// Creates something like 0c947c3b1047334f5bb8a3b7adc1d97b
share|improve this answer
up vote -1 down vote

Here is what I'm using on one of my projects, it's working great and it generates a UNIQUE RANDOM TOKEN:

$timestampz=time();

function generateRandomString($length = 60) {
    $characters = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
    $charactersLength = strlen($characters);
    $randomString = '';
    for ($i = 0; $i < $length; $i++) {
        $randomString .= $characters[rand(0, $charactersLength - 1)];
    }
    return $randomString;
}


$tokenparta = generateRandomString();


$token = $timestampz*3 . $tokenparta;

echo $token;

Please note that I multiplied the timestamp by three to create a confusion for whoever user might be wondering how this token is generated ;)

I hope it helps :)

share|improve this answer

protected by Community Jun 27 '13 at 0:32

Thank you for your interest in this question. Because it has attracted low-quality or spam answers that had to be removed, posting an answer now requires 10 reputation on this site (the association bonus does not count).

Would you like to answer one of these unanswered questions instead?

Not the answer you're looking for? Browse other questions tagged or ask your own question.