1

I am trying to create a token as a user unique referral and so I used md5 to generate it. However, I heard that there is a possibility of duplication. Then, I tried to check the token before inserting it to the database every time when the token is generated in the following way.

  1. Select token_column from table where token_column != generated_token.
  2. If generated_token is exist, generate new and check the table again.
  3. If generated_token is not exist, insert it into the database.

Controller

private function generateToken(){
    $token = strtoupper(md5(rand()));

    $sql = 'SELECT id, token FROM UserReferral WHERE token != '.$token;

    $is_exist = $this->Database_model->readOneQuery($sql);

    if(!empty($is_exist)){
        // Insert data into database
    } else {
        $token = strtoupper(md5(rand()));
        // check database again to see if the token is already exist
    }
}

Model

function readOneQuery($sql){
    $r = $this->db->query($sql)->row_array();
    return !empty($r) ? $r : false;
}

If I do this way, the checking seems no ending. Is there any better way I can use to do the data checking?

Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
Emerald
  • 864
  • 1
  • 14
  • 37
  • This question is missing your code approach. [ask] / [mcve] – Pinke Helga Jan 15 '19 at 04:03
  • Honestly, I still don't understand why my question been marked as duplicate when my question is totally different from the post that been appointed. I was asking how to make sure that there is no duplicate data from the database every time a new token is generated. Not how to use the double quote when inserting into the database. – Emerald Jan 18 '19 at 07:37
  • The answer to the question linked as duplicate might not finally solve your issue, however, md5 is a string and thus has to be surrounded by quotes. Since there is no client data involved here, you can safely do it without prepared statements in this case. – Pinke Helga Jan 18 '19 at 10:13
  • There is no difference wether `INSERT ... VALUES` clause or `WHERE` clause is used. Strings are strings and are quoted wherever they occur in SQL. – Pinke Helga Jan 18 '19 at 10:27
  • `"SELECT id, token FROM UserReferral WHERE token != '$token'";` Please ask me to vote for reopen if this does not solve your issue yet. In that case edit the question adding the quotes and describe the observed behaviour more verbose adding error logs etc. Write a comment containing `@Quasimodo'sclone` to notify me. Or even better you can open a new question with the corrected version of your code. – Pinke Helga Jan 18 '19 at 10:32
  • @Quasimodo'sclone I know the thing about the query to select data from the table to see if there is an existing data. What I am asking is, I want to keep re-generating a token and make a matching value in the database and re-do the step if there is an existing data in the database. If let's say the token is exist in the database when every time the new token is generated, the step of selecting and returning value will be an infinity loop. So how to avoid the infinity loop? – Emerald Jan 18 '19 at 12:58
  • Did you use `"SELECT id, token FROM UserReferral WHERE token != '$token'";` now? Without the extra qoutes the statement will fail. – Pinke Helga Jan 18 '19 at 13:02
  • Yes true. So if there is same value from the table, I will generate a new token and check the database again. If after the checking still having the same value, it will keep jumping back to the 1st step which is generating a new token and check the database until there is no same value. – Emerald Jan 18 '19 at 13:13
  • That is how I planned to do. But it seems like there is no way to keep the loop when every generated token is exist in the database. So basically, I need to find a way to generate a key that 100% guarantee unique to avoid the impossible loop. – Emerald Jan 18 '19 at 13:21

1 Answers1

-1

MD5 is old and not secure: https://security.stackexchange.com/questions/19906/is-md5-considered-insecure

Please consider moving to something more secure like SHA or even better, password_hash: http://php.net/manual/en/function.password-hash.php

gudok
  • 4,029
  • 2
  • 20
  • 30
Damian Dziaduch
  • 2,107
  • 1
  • 15
  • 16
  • Yes I know it, but I'm not using the md5 to hash the password. I just want to generate a random key for user referral. Something like when they invite their friend to signup the website, so I will use that referral as a token. – Emerald Jan 15 '19 at 04:17
  • This is not facing the question and should be posted as an improvement suggestion in the comments. – Pinke Helga Jan 18 '19 at 10:08