How would it be possible to generate a random, unique string using numbers and letters for use in a verify link? Like when you create an account on a website, and it sends you an email with a link, and you have to click that link in order to verify your account...yeah...one of those.

How can I generate one of those using PHP?

**Update:** Just remembered about `uniqid()`

. It's a PHP function that generates a unique identifier based on the current time in microseconds. I think I'll use that.

Security Notice: This solution should not be used in situations where the quality of your randomness can affect the security of an application. In particular,`rand()`

and`uniqid()`

are not cryptographically secure random number generators. See Scott's answer for a secure alternative.

If you do not need it to be absolutely unique over time:

`md5(uniqid(rand(), true))`

Otherwise (given you have already determined a unique login for your user):

```
md5(uniqid($your_user_login, true))
```

I was just looking into how to solve this same problem, but I also want my function to create a token that can be used for password retrieval as well. This means that I need to limit the ability of the token to be guessed. Because `uniqid`

is based on the time, and according to php.net "the return value is little different from microtime()", `uniqid`

does not meet the criteria. PHP recommends using `openssl_random_pseudo_bytes()`

instead to generate cryptographically secure tokens.

A quick, short and to the point answer is:

```
bin2hex(openssl_random_pseudo_bytes($bytes))
```

which will generate a random string of alphanumeric characters of length = $bytes * 2. Unfortunately this only has an alphabet of `[a-f][0-9]`

, but it works.

Below is the strongest function I could make that satisfies the criteria (This is an implemented version of Erik's answer).

```
function crypto_rand_secure($min, $max)
{
$range = $max - $min;
if ($range < 1) return $min; // not so random...
$log = ceil(log($range, 2));
$bytes = (int) ($log / 8) + 1; // length in bytes
$bits = (int) $log + 1; // length in bits
$filter = (int) (1 << $bits) - 1; // set all lower bits to 1
do {
$rnd = hexdec(bin2hex(openssl_random_pseudo_bytes($bytes)));
$rnd = $rnd & $filter; // discard irrelevant bits
} while ($rnd > $range);
return $min + $rnd;
}
function getToken($length)
{
$token = "";
$codeAlphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
$codeAlphabet.= "abcdefghijklmnopqrstuvwxyz";
$codeAlphabet.= "0123456789";
$max = strlen($codeAlphabet); // edited
for ($i=0; $i < $length; $i++) {
$token .= $codeAlphabet[crypto_rand_secure(0, $max-1)];
}
return $token;
}
```

`crypto_rand_secure($min, $max)`

works as a drop in replacement for `rand()`

or `mt_rand`

. It uses openssl_random_pseudo_bytes to help create a random number between $min and $max.

`getToken($length)`

creates an alphabet to use within the token and then creates a string of length `$length`

.

**EDIT:** I neglected to cite source - http://us1.php.net/manual/en/function.openssl-random-pseudo-bytes.php#104322

**EDIT (PHP7):** With the release of PHP7, the standard library now has two new functions that can replace/improve/simplify the crypto_rand_secure function above. `random_bytes($length)`

and `random_int($min, $max)`

http://php.net/manual/en/function.random-bytes.php

http://php.net/manual/en/function.random-int.php

Example:

```
function getToken($length){
$token = "";
$codeAlphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
$codeAlphabet.= "abcdefghijklmnopqrstuvwxyz";
$codeAlphabet.= "0123456789";
$max = strlen($codeAlphabet); // edited
for ($i=0; $i < $length; $i++) {
$token .= $codeAlphabet[random_int(0, $max-1)];
}
return $token;
}
```

Licensed under: CC-BY-SA with attribution

Not affiliated with: Stack Overflow