Home » Php » php – Generating confirmation code for an email confirmation

php – Generating confirmation code for an email confirmation

Posted by: admin April 23, 2020 Leave a comment


Using PHP, what are some ways to generate a random confirmation code that can be stored in a DB and be used for email confirmation? I can’t for the life of me think of a way to generate a unique number that can be generated from a user’s profile. That way I can use a function to make the number small enough to be included in the URL (see this link). Remember, the user has to click on the link to “confirm/activate” his/her account. If I can’t use numbers, I have no problems using both letters and numbers.

With that said, I’ve tried hashing the username along with a “salt” to generate the random code. I know there has to be a better way, so let’s hear it.

How to&Answers:
$random_hash = md5(uniqid(rand(), true));

That will be 32 alphanumeric characters long and unique. If you want it to be shorter just use substr():

$random_hash = substr(md5(uniqid(rand(), true)), 16, 16); // 16 characters long

Alternative methods to generate random data include:

$random_hash = md5(openssl_random_pseudo_bytes(32));
$random_hash = md5(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM));

// New in PHP7
$random_hash = bin2hex(random_bytes(32));


1) Create an Activated Field in Database

2) After registration the Email is sent

3) Create a Link to include in Email,Use a Unique identifier
It would look something like this

Welcome Username Thanks for registering.

Please Click on the Link below to activate your account


4) Update the Activated Field to true

alt text
(source: jackborn.com)

$email_encrypt = urlencode($email);
$special_string = 'maybeyourcompanynamereversed?';
$hash = md5($email_encrypt.$special_string);

Here is the link that is sent to the email that was provided:


The actual link will look something like this:



The accepted answer suggests using a hash of PHP’s uniqid(). The documentation for uniqid explicitly warns that it does not create “random nor unpredictable strings”, and states emphatically that “This function must not be used for security purposes.

If there is any concern over the possibility of a confirmation code being guessed (and that is the whole point of issuing a code) you may wish to use a more random generator such as openssl_random_pseudo_bytes(). You can then use bin2hex() to turn it into a nice alphanumeric. The following looks just like the output of John Conde’s answer, but is (supposedly) more random and less guessable:

// generate a 16 byte random hex string
$random_hash = bin2hex(openssl_random_pseudo_bytes(16))

Late addendum: As Oleg Abrazhaev points out, if you want to make sure your system is actually capable of generating cryptographically strong random values at runtime, openssl_random_pseudo_bytes accepts a reference to a bool to report this. Code from phpinspectionsea docs:

$random = openssl_random_pseudo_bytes(32, $isSourceStrong);
if (false === $isSourceStrong || false === $random) {
    throw new \RuntimeException('IV generation failed');

Then use the generated random value as before:

$random_hash = bin2hex($random)


Decided I need something a little more robust and added functionality. So this is what I came up with.

 * Hash Gen 
 * @author Kyle Coots
 * @version    1.0
 * Allow you to create a unique hash with a maximum value of 32.
 * Hash Gen uses phps substr, md5, uniqid, and rand to generate a unique 
 * id or hash and allow you to have some added functionality.
 * @see subtr()
 * @see md5()
 * @see uniqid()
 * @see rand()
 * You can also supply a hash to be prefixed or appened
 * to the hash. hash[optional] is by default appened to the hash 
 * unless the param prefix[optional] is set to prefix[true].     
 * @param start[optional]
 * @param end[optional]
 * @param hash[optional]
 * @param prefix bool[optional]
 * @return string a unique string max[32] character
function hash_gen($start = null, $end = 0, $hash = FALSE, $prefix = FALSE){

    // start IS set NO hash
    if( isset($start, $end) && ($hash == FALSE) ){

        $md_hash = substr(md5(uniqid(rand(), true)), $start, $end);
        $new_hash = $md_hash;

    }else //start IS set WITH hash NOT prefixing
    if( isset($start, $end) && ($hash != FALSE) && ($prefix == FALSE) ){

        $md_hash = substr(md5(uniqid(rand(), true)), $start, $end);
        $new_hash = $md_hash.$hash;

    }else //start NOT set WITH hash NOT prefixing 
    if( !isset($start, $end) && ($hash != FALSE) && ($prefix == FALSE) ){

        $md_hash = md5(uniqid(rand(), true));
        $new_hash = $md_hash.$hash;

    }else //start IS set WITH hash IS prefixing 
    if( isset($start, $end) && ($hash != FALSE) && ($prefix == TRUE) ){

        $md_hash = substr(md5(uniqid(rand(), true)), $start, $end);
        $new_hash = $hash.$md_hash;

    }else //start NOT set WITH hash IS prefixing
    if( !isset($start, $end) && ($hash != FALSE) && ($prefix == TRUE) ){

        $md_hash = md5(uniqid(rand(), true));
        $new_hash = $hash.$md_hash;


        $new_hash = md5(uniqid(rand(), true));


    return $new_hash;



  private  function generateCodeSecurity()
    list($usec, $sec) = explode(" ", microtime());
    $micro = usec + $sec;

    $hoy = date("Y-m-d");  
    $str = str_replace('-','',$hoy); 

    return  rand($str,  $micro);


With this little code, you can generate a random number, with a range of 7 to 11 numbers.

Using php functions:

Rand ();
Microtime ()

$hoy = date("Y-m-d");  
$str = str_replace('-','',$hoy); 

echo $str; 
result date: 20170217

 list($usec, $sec) = explode(" ", microtime());
 $micro = usec + $sec;

echo $micro;
result  micro varaible: 1487340849

Passing parameters in this function:rand ();

 rand($str,  $micro);

and return;


 list($usec, $sec) = explode(" ", microtime());
    $micro = usec + $sec;

    $hoy = date("Y-m-d");  
    $str = str_replace('-','',$hoy); 

   $finalresult = rand($str,  $micro);

echo $finalresult; 

result: 1297793555

I think it is difficult to repeat this number, for the reason it will never be the same day, nor the same hour, nor the same milliseconds of time.