PHP: Options to generate an unique user key

After a few days researching on hashing, generating random numbers or unique keys, I am a bit confusing now.

I have one last thing that I want to get it right which is the user key. I want to store an unique key for each member/ user who registers at my website. So this key must be unique and not duplicate. I am thinking to use the user email and hash it with timedate or something...

Then I wonder which is the best way to create such a key -

Can I use hash_hmac() to do this for me?

I have a couple of things don't understand about hash_hmac() though - as in this example from the php.net hash_hmac('ripemd160', 'The quick brown fox jumped over the lazy dog.', 'secret');

So what is 'secret' - can I put anything different instead, like a timedate? I assume that I can replace 'The quick brown fox jumped over the lazy dog.' with the email address?

or maybe I can use Portable PHP password hashing framework to do this?

the only thing is that it produces ., $, and / which I need to remove t开发者_运维百科hem otherwise I will get errors when I request the key from the URL.

so I might do this -

$hash = $phpass -> HashPassword('me@example.com'.$timedate)
$key = preg_replace("/[^a-zA-Z0-9]+/", "", $hash);

Please let me know if you have any better suggestions.

I have one last thing that I want to get it right which is the user key. I want to store an unique key for each member/ user who registers at my website. So this key must be unique and not duplicate. I am thinking to use the user email and hash it with timedate or something

• I would just let your database handle this for you using autoincrement
• You could also use uniqid for this: md5(uniqid(rand(), TRUE));

index.php:

for ($i=0;$i<10;$i++) {
    echo md5(uniqid(rand(), TRUE)) . "\n";
}

output:

php index.php 
ba0d9aad1ff0ceadf4b25f101099b91e
b5a6db5e174b426061d3d3835a6fcaea
54be6d3a03e0590917ed20b097442e3a
6e208a61eae8cfd102d4a41decf0f64e
2cafac5402815af87e8299e5e67016bd
95e839097a566471c70fe357e5a101d2
c6908532bda6f926debdda754b02f931
aac7adf999dd4dd009f208b176ea90d0
1ed7779229e57b05adc088b375582cfb
e016a684564d5cdb89201ebab1038609

They are all unique and you can just use them. You should NOT have to do anything else?

I recommend "stealing" the drupal_random_bytes function.

About hash_hmac(): I believe the "secret" is just some string that is only known by you and the code. It is used to help randomize the algorithm and make it unique depending on which "secret" key you used. Just pick any phrase that you know, and put it there. Note: this has to be the same value every time you hash if you expect the same value in return. So make it something constant, not variable, lest your hash return a different value every time you use it.

But yes, replace the "quick brown fox" with whatever you want to hash, and it should work.

Also an option: use the primary key of the user [usually a simple integer] from the database to reference them.