Generating confirmation numbers

I need a technique (an a pointer to sample code if you have) for generating conformation numbers for web payment. I don't want the customer to write down a long sequence like a GUID but I don't want it easily predictable as well.

Using C#

Thanks for all the tips. I decided on a format like this:

TdddRROOO

T = 2009 (next year will be U = 2010) ddd = days this year RR = two random numbers 000 = order number (I'll offset this so folks can't know the order number that day)

So the confirmation number will be something like P23477098

You could do something with a mixture. Generate the first half of the key as a known, predictable value (e.g. 00001, 00002, 00003, etc.) and then generate the second half as a randomly generated value so it won't be predictable. Then, increment the "known, predictable" value so that you will never get a match.

Your unique code would then become: 00001-53481, 00002-43853, 00003-54511, etc.

Of course, I am sure there are libraries out there that probably do this already. (It might help if you specify what language you are using.)

I recent did same thing in PHP. We use random function in this class,

https://github.com/kohana/core/blob/3.3/master/classes/Kohana/Text.php

We use random('distinct', 8) to generate confirmation number. It generates strings like this,

4CFY24HJ
JH5AYL7J
2TVWTMJ5

As you can see, it has no confusing numbers/letters like (1/l, 0/O etc) so it makes it much clearer when customers have to read the numbers over the phone.

Decide on the characters (char[] chars) that you want in your confirmation code, decide on the length of confirmation code (n), generate n random numbers (i_1, i_2, ... i_n) in the range [0..chars.Length) and return the string chars[i_1]chars[i_2]...chars[i_n].

In C#:

public string ConfirmationCode(char[] chars, int length, Random rg) {
    StringBuilder codeBuilder = new StringBuilder();
    for(int i = 0; i < length; i++) {
        int index = rg.Next(chars.Length);
        codeBuilder.Append(chars[index]);
    }
return codeBuilder.ToString();

For uniqueness, prepend the current time in yyyyMMddhhmmss format.

Just generate a random number between 100000 and 999999, for example. Also a good idea is to put some letters in front that identify that it is a confirmation number, such as CONF-843682 so that people will recognize it more easily when you ask for it.

Store the number in the database, together with an ID for the order and an expiry date (say 1 year).

You could do something like get a random number of a specified length, convert to base64 and add a checksum character.

How about something like Amazon's PayPhrase? Use a library like Faker (Ruby) or Data::Faker (Perl) to generate random phrases, or write your own utility. Then just use a simple hash function to convert the "confirmation phrase" into a number you can index.

As for C# there exists a port Ruby's Faker gem at http://github.com/slashdotdash/faker-cs