I generate an unique security code with this every time user login:
$code = substr(str_shuffle(str_repeat("0123456789", 4)), 0, 4);
it seems works but sometimes it generate 3 number instead of 4. also this problem occurred with rand() in past, then i decide to use str_shuffle + str_repeat.
also i insert this code in db with integer data type and length is 6.
what did i wrong or missed?
or is it a bug?
While I can't immediately say why your code sometimes returns only 3 digits, I find myself wondering why you don't create this 4-digit (call it a PIN?) code through the more numerically appropriate rand? For example, since you are going for a 4-digit PIN (between 0000 and 9999), I might write it like:
$code = rand(0, 9999);
$code = substr("000$code", -4);
That is much clearer as to its purpose (generate a random number, guarantee it's 4 digits), and less esoteric than str_repeat/str_shuffle.
EDIT (after learning $code is inserted into an integer DB field)
Why is your random string of 4 digits sometimes turning into 3 digits? Because you are inserting the value into an integer column. Either the DB or the DB Driver will attempt the moral equivalent of:
$code_to_insert = (int)$code;
at which point, if the number is less than 1000, you would get three digits.
Further, if you run your code enough times as it currently stands, you should get PIN lengths of 2 and 1 as well:
0 - 9 = ( 10 / 10000) -> 0.1% of the time
10 - 99 = ( 90 / 10000) -> 0.9% of the time
100 - 999 = ( 900 / 10000) -> 9.0% of the time
1000 - 9999 = (9000 / 10000) -> 90.0% of the time
A possible fix, given the current setup of your code and DB, might be to ensure the PIN length when you pull it out of the DB. You could use the same trick as above:
$sql = "SELECT code FROM ...";
...
$code = $row['code'];
$code = substr("000$code", -4);
Since you're storing the result in an integer field, it's not being stored as separate digits, just as a number. So it doesn't know anything about leading zeroes.
When you later retrieve the value, you can convert it to a string with leading zeroes using the str_pad function:
$code = str_pad($num, 4, '0', STR_PAD_LEFT);
The other option would be to change the datatype in the database to CHAR(4) instead of INT.
Try this:
$code = str_pad($num, 4, '0', STR_PAD_LEFT);
Related
I want to create user accounts with a public_id which is always a unique, integer random (not incremental) value.
I can use loops to check if the random integer is unique, but that doesn't seem like a really nice solution.
I found some alphabetic-numeric generators, and I guess I could convert them to integers using some string to integer converter, but are there an integer -specific ways?
I also worry about possible collisions, but it looks like the chance will be always there in a long run.(?)
You can either use one of native php functions like mt_rand or use more reliably way - generating integer based on microtime function.
To ensure that the value is unique you need to add a unique index on a column in DB and write 'ON DUPLICATE UPDATE' to insert/update queries which will add some digits to the value if it is not unique
There are 2 possible solutions:
1) If your "long run" is really really long - it means this is
possible, that you are out of PHP_INT_MAX and there is no
only-integer-specific way.
2) If you are not out of PHP_INT_MAX - then you need some storage for
checking the ids.
In case of 1 you can use library hashids. To avoid collisions - you'll need some incremental counter on input. Then you can convert strings by each letter back to integer.
In case of 2 - you can use some in-memory database like redis for performance.
Using timeStamp will really do a great job since it uses time to generate it random numbers .you can also concatenate the below function with other random generated numbers.
function passkey($format = 'u', $utimestamp = null){
if (is_null($utimestamp)) {
$utimestamp = microtime(true);
}
$timestamp = floor($utimestamp);
$milliseconds = round(($utimestamp - $timestamp) * 1000000);
return date(preg_replace('`(?<!\\\\)u`', $milliseconds, $format),$timestamp);
}
echo passkey(); // 728362
You can use a linear congruential generator with a large period.
Here is one that generates unique integers which always have 6 digits. It will not generate duplicates until it has generated all numbers between 100000 and 996722, which gives you almost 900 000 different numbers.
The condition is that you can provide the function the number it last generated. So if you store the number in the database, you have to somehow retrieve the last assigned one, so you can feed it to this function:
function random_id($prev) {
return 100000 + (($prev-100000)*97 + 356563) % 896723;
}
$prev = 100000; // must be a 6 digit number: the initial seed.
// Generate the first 10 pseudo-random integers.
for ($i = 0; $i < 10; $i++) {
$prev = random_id($prev);
echo $prev . "\n";
}
The above generation of the first 10 numbers yields:
456563
967700
331501
494085
123719
963860
855744
232445
749606
697735
You can do this for other ranges by following the rules in the referenced article on getting a full period in linear congruential generators. Concretely, if you want to generate numbers with n digits, where the first digit cannot be zero (so between 10n-1 and 10n-1), then I find it easiest to find a large prime just below 9⋅10n-1 to serve as the last number of the formula. The other two numbers can then be any positive integer, but better keep the first one small to avoid overflow.
However, PHP integers are limited to PHP_INT_MAX (typically 2147483647), so for numbers with 10 or more digits you will need to use floating point operators. The % operator should not be used then. Use fmod instead.
For example, to generate numbers with 12 digits, you could use this formula:
function random_id($prev) {
return 100000000000 + fmod((($prev-100000000000)*97 + 344980016453), 899999999981);
}
$prev = 100000000000; // must be a 12 digit number: the initial seed.
// Generate the first 10 pseudo-random integers.
for ($i = 0; $i < 10; $i++) {
$prev = random_id($prev);
echo $prev . "\n";
}
I am working in php and I am trying to create 1000 tickets in a database. Each ticket needs it's own unique code that consists of letters and numbers about 6 characters long.
EXP.
Tbl_Tickets
ID code
1 3F2jk7
2 2HGUF1
3 9FJDNJ
4 MFJEY9
5 23988D
I was wondering is there a simple way of doing this with php, or excel, or any other way for that matter. I know that i can use a random number generator, but the check for the Unique would have a large BigO notation and the check would get messy.
Unique is not compatible with random, but the following might suit:
=CHOOSE(RANDBETWEEN(1,2),RANDBETWEEN(0,9),CHAR(RANDBETWEEN(65,90)))
copied across to populate six columns (say A to F) with, in G:
=A1&B1&C1&D1&E1&F1
and both copied down to say row 1100. Then select G, copy Paste Special Values, and Remove Duplicates on ColumnG and select first 1000 entries.
You could easily create an array of strings in php and write it to a database:
function generateRandomString($length = 6, $letters = '1234567890QWERTYUIOPASDFGHJKLZXCVBNM'){
$s = '';
$lettersLength = strlen($letters)-1;
for($i = 0 ; $i < $length ; $i++){
$s .= $letters[rand(0,$lettersLength)];
}
return $s;
}
// Create an array with random strings
for ($i=0; $i<1000; $i++){
$ticket_numbers = array();
$ticket_number = generateRandomString();
while (in_array($ticket_number,$ticket_numbers))
$ticket_number = generateRandomString();
$ticket_numbers[] = $ticket_number;
}
// Write the array to a database
$con = mysqli_connect("myhost","myuser","mypassw","mybd") or die("Error");
foreach ($ticket_numbers as $number){
mysqli_query($con,"Your insert query using the value $number");
}
mysqli_close($con);
This should help you in the right direction though there are probably better ways to do this.
The function generateRandomString() was taken from How to generate random numbers/letters with PHP/Javascript
And another option. Encryption is guaranteed to be unique, so encrypting the numbers 0, 1, 2, ... will give you guaranteed unique random-seeming output. Six characters is 30 bits using Base32, or 36 bits using Base64. You will need a 30 (or 36 bit) cypher. Unless you have a library that includes Hasty Pudding cypher (unlikely) then just implement a simple four round Feistel cypher with the appropriate block size. It will not be completely secure, but it will be enough to defeat casual attacks.
This will produce random strings in column B with no repeats from B1 thru B1001
Sub Lottery()
Dim i As Long, j As Long, c As Collection
Set c = New Collection
v = Split("0,1,2,3,4,5,6,7,8,9,A,B,C,D,E,F,G,H,I,J,K,L,M,N,O,P,Q,R,S,T,U,V,W,X,Y,Z", ",")
For i = 1 To 5000
can = ""
For j = 1 To 6
can = can & v(Application.RandBetween(0, 35))
Next j
On Error Resume Next
c.Add can, CStr(can)
On Error GoTo 0
If c.Count = 1000 Then Exit For
Next i
For i = 1 To 1000
Cells(i + 1, 2).Value = c(i)
Next i
End Sub
I wonder if there is a way in PHP to generate a unique alphanumeric(case sensitive) tokens that can be unique forever without any collision. If we derive them from the time stamp string which is 10 characters like: 1394452319, that might be possible but I am not sure if we can make the token short up to 4 characters? If not possible then 5, 6, 7 and max is 8 characters. Because I want to generate short tokens to be readable by users.
Tokens should look like: 1aYc, ZoXq, 3iU9, etc.
I don't want to show the users any sequence.
One more thing, my application will be used by more than one user, so in case two users clicked at same time to generate the token, will the PHP application generate the same token (I assume we use the timestamp to generate the token)? How can we prevent from this problem?
Thank you for your help!
this is the another function that you can use also
<?php
function generateRandomString($length = 8) {
$characters = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
$randomString = '';
for ($i = 0; $i < $length; $i++) {
$randomString .= $characters[rand(0, strlen($characters) - 1)];
}
return $randomString;
}
echo generateRandomString();
?>
One approach is to have an incremental (i.e. auto_update) id that you keep hidden internally. From that, you generate a hash, representing the id to hide the sequence. The incremented id gets rid of collision problems (i.e. MySQL has an integrated solution for this).
The trick you need to use now is a random hash table consinsting of two columns, both having the values n to m but with the second column being randomized. i.e.
col1 | col2
1 | 2
2 | 4
3 | 5
4 | 1
5 | 3
if you have the randomly sorted number for your incremented number, it is easy to create a hash from that. Just think about your possible chars as numbers. You get it righgt?
Assuming you have a good algorithm for random numbers, you can make a pretty good hash table. However, there also is a way to find an algorithm, providing you with the numbers as they increase. So in this example it would give you col2 = fn(col1) so i.e. 4 = fn(2).
All you have to do is take the result and re-enginer it into a formular :D
Otherwise you have to fill the table initially.
To give you a glimpse insight into the math of it, think of a function that uses odd/even characteristics of the number and combines it with addition.
With n digits using a range of 62 possibilitys (case sensitive letters and numbers) per char you have 62^n possibilities.
For 4 digits that makes 14776336 possibilities (62^4).
Thou that might sound just wonderfull, you can imagine that having a table, prefilled with 14776336 id's is not the cleanest solution.
Still, i hope this at least leads into the right direction.
EDIT:
We started a discussion on math.stackexchange.com. IT has some additional information on how to create a function for our needs.
You can use something like following
<?php
// chars
$chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!##$%^&*()-+';
// convert to array
$arr = str_split($chars, 1);
// shuffle the array
shuffle($arr);
// array to chars with 8 chars
echo substr(implode('', $arr), 0, 8);
?>
You can use this function :
// RETRUN 24 digit of UNIX ID :
public function getComplexIDTicket(){ // duplicate method on Rest.php
$arrAZ1 = range('A','Z');
$arrAZ2 = range('A','Z');
$arrAZ3 = range('A','Z');
$arrs1 = range('A','Z');
$arrs2 = range('A','Z');
$arrs3 = range('A','Z');
$a1 = $arrAZ1[rand(0,25)];
$a2 = $arrAZ2[rand(0,25)];
$a3 = $arrAZ3[rand(0,25)];
$s1 = $arrs1[rand(0,25)];
$s2 = $arrs2[rand(0,25)];
$s3 = $arrs3[rand(0,25)];
$s = $s1.$s2.$s3;
$t = microtime(true);
$micro = sprintf("%07d",($t - floor($t)) * 10000000);
$id = date('ymdHis').strtoupper(dechex(substr($micro,0,7)));
$id = str_pad($id, 24, $a3.$a2.$a1.$s, STR_PAD_RIGHT);
// 151106214010 3DDBF0 L D C SM4
return $id;
}
given a script that generates a string of 12 characters randomly generated, how many possibilities there are for two string to be equal?
function rand_string( $length ) {
$chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
$size = strlen( $chars );
for( $i = 0; $i < $length; $i++ ) {
$str .= $chars[ rand( 0, $size - 1 ) ];
}
return $str;
}
Assuming, A-Za-z0-9, there are 62 possible character values. Therefore, there are 62^12 (to-the-power-of) possible strings. That's roughly 3x10^21 (3 with 21 zeros).
Assuming a perfect random number generator, that's a 1 in 3x10^21 chance that any two particular strings will be equal.
Given that code and a length of 12, there are 6212 possible values. So (assuming a perfectly uniform random number generator, which rand() probably isn't) the chances are 1 in 3226266762397899821056 that a single call to that function will return any arbitrary 12-character string.
OTOH, if you are calling the function repeatedly and want to know how long until you are likely to get a repeat of any previously returned value, you would have to call it about 6.7e+10 times to have a 50% chance of a collision (again, assuming a uniform random number generator). You can get a reasonable approximation of the number of calls required for any collision probability p between 0 and 1 by calculating sqrt(-ln(1 - p) * 2 * 6212).
This falls under the Birth Paradox (how many people do you need in a room to have a 50% chance of two or more people having the same birthday).
Your 12-long 62-char strings come out to be about 72 bits. With the approximate detailed here, you can expect to generate about SQRT((pi / 2) * 62^12)) = 7.112x10^10 strings before getting a collision. So about 1 in 70 billion.
It need not be meaningful words - more like random password generation, but the catch is - they should be unique. I will be using this for some kind of package / product code. Which is the best method available? :)
It is generally not possible to generate sequences with both unique and random elements: obviously to be unique the algorithm has to take into account the previously generated elements in the sequence, so the next ones will not really be random.
Therefore your best bet would be to detect collisions and just retry (which could be very expensive in your particular case).
If you are constrained to just 7 chars, there's not much you can do above:
$allowed_chars = 'abcdefghijklmnopqrstuvwxz';
$allowed_count = strlen($allowed_chars);
$password = null;
$password_length = 7;
while($password === null || already_exists($password)) {
$password = '';
for($i = 0; $i < $password_length; ++$i) {
$password .= $allowed_chars{mt_rand(0, $allowed_count - 1)};
}
}
This should eventually give you a new password.
However, in similar cases I have encountered I usually pick a larger password size which also happens to be the size of the hex representation of a popular hash function (e.g. md5). Then you can make it easier on yourself and less error prone:
$password = time(); // even better if you have some other "random" input to use here
do {
$password = md5(time().$password);
}
while (already_exists($password));
This also has the added advantage that the sequence space is larger, hence there will be less collisions. You can pick the size of the hash function according to the expected numbers of passwords you will generate in the future to "guarantee" a low collision probability and thus less calls to the possibly expensive already_exists function.
Here's a way you could do it without hashes or loops:
$password = sprintf(
"%04s%03s",
base_convert(mt_rand(0, pow(36, 4) - 1), 10, 36),
base_convert(mt_rand(0, pow(36, 3) - 1), 10, 36)
);
As a few others have mentioned, ensuring uniqueness is more complicated, and should be unneeded. The simplest way you could do it would be to add extra characters at the end, incrementing with each password generated.
Here is something that looks random and should be unique and have 7 chars for the times to come:
echo base_convert(intval(microtime(true) * 10000), 10, 36);
Or for a little more randomness and less uniqueness (between 1000 and 10000 per second):
echo base_convert(mt_rand(1, 9) . intval(microtime(true) * 1000), 10, 36);
Or (uniqueness between 100 and 10000 per second) - this is probably the best option:
echo base_convert(mt_rand(10, 99) . intval(microtime(true) * 100), 10, 36);
Or (uniqueness between 10 and 10000 per second):
echo base_convert(mt_rand(100, 999) . intval(microtime(true) * 10), 10, 36);
You get the idea.
A random alphanumeric (base 36 = 0..9 + a..z) value that has 7 chars has to have a base 10 representation between 2176782336 and 78364164095, the following snippet proves it:
var_dump(base_convert('1000000', 36, 10)); // 2176782336
var_dump(base_convert('zzzzzzz', 36, 10)); // 78364164095
In order for it to be unique we have to rely on a non-repeating factor, the obvious choice is time():
var_dump(time()); // 1273508728
var_dump(microtime(true)); // 1273508728.2883
If we only wanted to ensure a minimum uniqueness factor of 1 unique code per second we could do:
var_dump(base_convert(time() * 2, 10, 36)); // 164ff8w
var_dump(base_convert(time() * 2 + 1, 10, 36)); // 164ff8x
var_dump(base_convert(time() * 2 + 2, 10, 36)); // 164ff8y
var_dump(base_convert(time() * 2 + 3, 10, 36)); // 164ff8z
You'll notice that these codes aren't random, you'll also notice that time() (1273508728) is less than 2176782336 (the minimum base 10 representation of a 7 char code), that's why I do time() * 2.
Now lets do some date math in order to add randomness and increase the uniqueness factor while complying with the integer limitations of older versions of PHP (< 5.0?):
var_dump(1 * 60 * 60); // 3600
var_dump(1 * 60 * 60 * 24); // 86400
var_dump(1 * 60 * 60 * 24 * 366); // 31622400
var_dump(1 * 60 * 60 * 24 * 366 * 10); // 316224000
var_dump(1 * 60 * 60 * 24 * 366 * 20); // 632448000
var_dump(1 * 60 * 60 * 24 * 366 * 30); // 948672000
var_dump(1 * 60 * 60 * 24 * 366 * 31); // 980294400
var_dump(PHP_INT_MAX); // 2147483647
Regarding PHP_INT_MAX I'm not sure what exactly changed in recent versions of PHP because the following clearly works in PHP 5.3.1, maybe someone could shed some light into this:
var_dump(base_convert(PHP_INT_MAX, 10, 36)); // zik0zj
var_dump(base_convert(PHP_INT_MAX + 1, 10, 36)); // zik0zk
var_dump(base_convert(PHP_INT_MAX + 2, 10, 36)); // zik0zl
var_dump(base_convert(PHP_INT_MAX * 2, 10, 36)); // 1z141z2
var_dump(base_convert(PHP_INT_MAX * 2 + 1, 10, 36)); // 1z141z3
var_dump(base_convert(PHP_INT_MAX * 2 + 2, 10, 36)); // 1z141z4
I got kinda lost with my rationalization here and I'm bored so I'll just finish really quick. We can use pretty much the whole base 36 charset and safely generate sequential codes with a minimum guaranteed uniqueness factor of 1 unique code per second for 3.16887646 years using this:
base_convert(mt_rand(22, 782) . substr(time(), 2), 10, 36);
I just realized that the above can sometimes return duplicated values due to the first argument of mt_rand(), in order to produce unique results we need to limit a our base 36 charset a little bit:
base_convert(mt_rand(122, 782) . substr(time(), 2), 10, 36);
Remember that the above values are still sequential, in order to make them look random we can use microtime() but we can only ensure a uniqueness factor of 10 codes per second for 3.8 months:
base_convert(mt_rand(122, 782) . substr(number_format(microtime(true), 1, '', ''), 3), 10, 36);
This proved to be more difficult than I originally antecipated since there are lot of constrains:
use the whole base 36 charset
generate random-looking codes
trade-offs between uniqueness factor per second and durability of uniqueness
PHP integer limitations
If we can ignore any of the above it would be a lot easier and I'm sure this can be further optimized but like I said: this is boring me. Maybe someone would like to pick this up where I left. =) I'm hungry! =S
this is my favorite way to do it.
$pretrimmedrandom = md5(uniqid(mt_rand(),true));
$trimmed = substr($pretrimmedrandom ,0,7);
uniqid uses the current time to generate a very unique random string. results look like "3f456yg".
Given that you mention passwords here, I'll assume you need a secure method (ie: someone shouldn't be able to guess someone else's password based on knowing any other password). You could use the following:
Decide on a master password, for example "MasterPassword"
For each password generated, append to that either a random or sequential nonce, for example "MasterPassword1", "MasterPassword2".
Perform a cryptographic hash on that (SHA, MD5, etc) and covert the hash to a hexadecimal representation, eg "ce7f181a44a4a5b7e43fe2b9a0b1f0c1".
Truncate that to as many characters as you need - perhaps seven as you indicated: "ce7f181".
Check if that has been assigned before. If not, return that as your password. Otherwise, repeat from 2.
If security is not an issue, steps 1 and 2 by themselves would be sufficient. If security is an issue, it is vital that no one but yourself knows the value of "MasterPassword".
Here's how I would solve this problem:
Consider that the 7 characters can be one of 26 letters (abc..z), or 10 numbers (01...9). This makes 36 possible characters.
Each time your application generates a new code, have it increment a global variable. You can turn this unique number into a unique string by using a "Hexatridecimal" converter, and by adding filler characters to make up the rest of the string.
Take a look at this link. I think this guy had the same problem as you:
http://www.codemaxima.com/2010/04/the-hexatridecimal-numbering-system/
$random = substr(hash('md5',openssl_random_pseudo_bytes(32)),0,7);
+1 to #Michael Haren's comment. If the passwords on your site should not have a constraint to be unique.
If I try to use a given password and I get an error that I can't use it because it's already in use, then I know some user on the system has that password. If there are 1000 users I only need to try a max of 1000 other accounts before I find the one who has that password.
Not really answering your question, but more than a comment. So I'm marking this CW.
md5( microtime() );
Galen's answer allows only one use of each character in the password. Not much information in that string. A simple change though:
$chars = 'abcdefghijklmnopqrstuvwxyz0123456789';
$passwordlength = 7;
for ($x = 1; $x <= $passwordlength; $x++) {
$charlist .= $chars;
}
$temp_pw = substr( str_shuffle( $charlist ), 0, $passwordlength );
substr(str_shuffle(md5(microtime())),rand(0,21),7);
try this
echo $unique_key = substr(md5(rand(0, 1000000)), 0, 5);
it will give string with length 5.
Use Kohana text,
http://docs.kohanaphp.com/helpers/text
For example,
$prod_id = text::random('alpha', 7);
If you don't want use the framework, you can simply copy the code. You will find lots of goodies there.
Heres a very simple way
$chars = 'abcdefghijklmnopqrstuvwxyz0123456789';
$temp_pw = substr( str_shuffle( $chars ), 0, 7 );
if ( check_unique( $temp_pw ) ) {
$pw = $temp_pw;
}
You'll have to implement your own check_unique function. That part should be easy.