PHP: uniqid - Manual

Description

string uniqid ( [string prefix [, bool more_entropy]] )

uniqid() returns a prefixed unique identifier based on the current time in microseconds. prefix is optional but can be useful, for instance, if you generate identifiers simultaneously on several hosts that might happen to generate the identifier at the same microsecond. Up until PHP 4.3.1, prefix could only be a maximum of 114 characters long.

If the optional more_entropy parameter is TRUE, uniqid() will add additional entropy (using the combined linear congruential generator) at the end of the return value, which should make the results more unique.

With an empty prefix, the returned string will be 13 characters long. If more_entropy is TRUE, it will be 23 characters.

Note: The prefix parameter became optional in PHP 5.

If you need a unique identifier or token and you intend to give out that token to the user via the network (i.e. session cookies), it is recommended that you use something along these lines:


<?php

// no prefix

$token = md5(uniqid());



// better, difficult to guess

$better_token = md5(uniqid(rand(), true));

?>

This will create a 32 character identifier (a 128 bit hex number) that is extremely difficult to predict.

User Contributed Notes
uniqid

tommiboy
05-May-2005 10:18


"It seems intuitively likely that at least 2 people somewhere in the world over the past 12 years have already got back exactly the same hash because of what they fed in to be digested."



Really?



12 years = 86400 * 365 *12 seconds = 3,7 * 10^8 seconds



2^128 = 3,4 * 10^38, thus approximately 10^38 samples are needed to find a collison (1.7* 10^38, more exactly)



Consequently, this means:



--> MD5 calculations per second during last 12 years  = 10^30  (worldwide)



Approx. number of PCs worldwide: 820 million (2004), this is <= 10^9



--> MD5 calculations per PC per second >= 10^21



An optimized MD5 implementation takes around 400-450 clock cycles on Pentium-class hardware.



--> During the past 12 years, the average PC had a clock frequency of 10^23 Hertz.



That is about a quadrillion times faster than the PC which I bought last week :)

06-Nov-2004 01:54


"Therefore, the chance of finding 2 matching hashes increases with every hash generated. Taking into account that md5 has been around for 12 years, we may already have passed the magic number."



I think instead of 'finding', which implies recognition, you mean 'generating', don't you?  And what practical difference would it make?   It seems intuitively likely that at least 2 people somewhere in the world over the past 12 years have already got back exactly the same hash because of what they fed in to be digested.  But so what?  It's only meaningful if the two hashes collide in some way, really.

Habib Valanejad
27-May-2003 07:06


Here is a way to generate a uniqid on a Unix network. Your

system must support hostid command.

<?

# Get the hostid of the machine. This should be unique on

# your network. Usually hostid is a hexadecimal number, so

# we use hexdec() function to convert it to a decimal one:

$hostid = hexdec(shell_exec("hostid"));

# Get time of the day in seconds and microseconds:

$td = gettimeofday();

# Use combination of seconds, microseconds, pid and hostid

# to generate a unique number. 

# This way even if one or 2 systems execute this command

# on a very fast machine, at exactly the same time(even

# same within microseconds), with the same pid number 

# (which is very unlikely), you'll still have a unique

# number because of your hostid even on a very large

# network with very fast servers:

echo  $td["sec"].$td["usec"]. getmypid(). $hostid;

?>

Of course you can use md5() to generate a 32 byte character

string of the above output:

echo md5($td["sec"].$td["usec"]. getmypid(). $hostid);