How can I create random key php mysql?

Question

I need create random key store in MySQL If I use:

<?php echo md5(rand(10000,99999)); ?>

Where can I store it

<?php
require 'config.inc.php';

foreach($_POST as $k=>$v) 
{
    $_POST[$k] = trim($v);
}

if(!isset($_POST['produgg_username']) or !isset($_POST['produgg_password']) or !isset($_POST['produgg_email']))
{
    print "Please use all fields";
}elseif(empty($_POST['produgg_username'])){
    print "Please choose a username";
}elseif(empty($_POST['produgg_password'])){
    print "Please choose a password";
}elseif(empty($_POST['produgg_email'])){
    print "Please enter an email address";
}elseif(!filter_var($_POST['produgg_email'], FILTER_VALIDATE_EMAIL)) {    
    print "Please enter a valid email address";
}elseif(!preg_match("/^[a-z0-9]+$/i", $_POST['produgg_username'])) {
    print "Please use only characters and numbers for username";
}elseif($usersClass->checkUserExists($_POST['produgg_username'])) {
    print "Username Taken, please choose another";
}else{
    if($usersClass->register($_POST['produgg_username'], md5($_POST['produgg_password']), $_POST['produgg_email']))
    {
        print "success";
        $toemail = $_POST['produgg_email'];
        $touser = $_POST['produgg_username'];
        // Send activation email 
         $to = $toemail;
         $subject = "Activation";
         $headers = "From: support@friendr.co.uk";
         $body = "Howdy $touser! 

         To activate your please click on the following link - http://www..co.uk/activateuser.php?email=$toemail";

        mail($to, $subject, $body, $headers);

    }else{
        print "Something weird happened and we couldn't setup the account!";
    }
}

?>

Show us the function `register()` of the class of the object `$userClass`? Also, `md5(rand(10000,99999));` will generate a random id, but it won't guarantee uniqueness. If you need it to be unique, you need to add another variable to it, maybe `time()`. — Shef, Jun 24 '11 at 08:50

score 3 · Answer 1 · edited May 23 '17 at 12:04

First, it seems that you are using plain md5() to store user passwords... DO NOT DO THAT, IT IS A SECURITY RISK. You are putting your users and yourself at risk. Use key strengthening with a stronger hash algorithm or bcrypt. See this answer for more information.

It seems that you are actually trying to generate a nonce for email activation.

If anything, a Universally Unique IDentifier (UUID) will do the job. It has a very low change of collision and allows for 3 × 10³⁸ unique values (once a value is used, you can reuse it for another user anyway for your use case).

You can use this function I wrote to generate UUIDs in PHP. What you want for your needs is a v4 UUID.

function UUIDv4() {
  $bytes = str_split(crypto_random_bytes(16));

  // Set UUID Version Number
  $bytes[6] = $bytes[6] & "\x0f" | "\x40";

  // Set UUID DCE1.1 varient
  $bytes[8] = $bytes[8] & "\x3f" | "\x80";

  $uuid = bin2hex(implode($bytes));

  return sprintf('%08s-%04s-%04s-%04s-%12s',
    // 32 bits for "time_low"
    substr($uuid, 0, 8),

    // 16 bits for "time_mid"
    substr($uuid, 8, 4),

    // 16 bits for "time_hi_and_version",
    // four most significant bits holds version number 4
    substr($uuid, 12, 4),

    // 16 bits, 8 bits for "clk_seq_hi_res",
    // 8 bits for "clk_seq_low",
    // two most significant bits holds zero and one for variant DCE1.1
    substr($uuid, 16, 4),

    // 48 bits for "node"
    substr($uuid, 20, 12)
  ); 
}

function crypto_random_bytes($count) {
  static $randomState = null;

  $bytes = '';

  if(function_exists('openssl_random_pseudo_bytes') &&
      (strtoupper(substr(PHP_OS, 0, 3)) !== 'WIN')) { // OpenSSL slow on Win
    $bytes = openssl_random_pseudo_bytes($count);
  }

  if($bytes === '' && is_readable('/dev/urandom') &&
     ($hRand = @fopen('/dev/urandom', 'rb')) !== FALSE) {
    $bytes = fread($hRand, $count);
    fclose($hRand);
  }

  if(strlen($bytes) < $count) {
    $bytes = '';

    if($randomState === null) {
      $randomState = microtime();
      if(function_exists('getmypid')) {
        $randomState .= getmypid();
      }
    }

    for($i = 0; $i < $count; $i += 16) {
      $randomState = md5(microtime() . $randomState);

      if (PHP_VERSION >= '5') {
        $bytes .= md5($randomState, true);
      } else {
        $bytes .= pack('H*', md5($randomState));
      }
    }

    $bytes = substr($bytes, 0, $count);
  }

  return $bytes;
}

+1 but there is a problem with your class: it's using mt_rand(). You'd more ideally want a cryptographically secure random source such as openssl_random_pseudo_bytes() if available, /dev/urandom, or COM. — Denis de Bernardy, Jun 24 '11 at 09:04
@Denis: UUIDs don't need to be cryptographically secure. You are generating a `nonce`, not an private/public key used to keep something secure. `mt_rand()` provides sufficient entropy for our needs here. — Andrew Moore, Jun 24 '11 at 09:06
@Andrew-Moore I disagree - if the UUID is not cryptographically secure, and someone knows your algorithm, and has at least one UUID they can guess future UUIDs. A nonce needs to be unguessable. — Ariel, Jun 24 '11 at 09:12
@Ariel: Then I shall refer you to [RFC 4122](http://tools.ietf.org/html/rfc4122) which clearly states that UUIDs are not meant to be secure. — Andrew Moore, Jun 24 '11 at 09:14
http://rad-dev.org/lithium/source/util/String.php (UUID with /dev/urandom) — Denis de Bernardy, Jun 24 '11 at 09:15
@Andrew: perhaps not meant to be, but we'd still be using v1 uuids if they weren't expected to be. :-) Plus, in as far as I've understood things, the collision rate increases if the random number generator isn't strong. — Denis de Bernardy, Jun 24 '11 at 09:16
@Denis: I've rewrote my function to use a proper random generator. — Andrew Moore, Jun 24 '11 at 09:35

score 0 · Answer 2 · answered Jun 24 '11 at 08:53

0

Use the uniqid() function instead of doing it with the md5. Make sure to set more_entropy to true.

i.e.

uniqid('prefix', true);

Change 'prefix' to something appropriate for your application.

answered Jun 24 '11 at 08:53

Ariel

25,995
5
59
69

How can I create random key php mysql?

2 Answers2