• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 330
  • Last Modified:

Random user ID

For an ecommerce site, when a user registers is it fine for the database entry to enter a 1 in the userid coumn and then the next user will be 2 and so on or would it be better to have an auto generated id like 1246A7 or something like that. Was just wondering if it made a difference to security?
0
jonofat
Asked:
jonofat
  • 5
  • 3
  • 3
  • +2
4 Solutions
 
K VDatabase ConsultantCommented:
ids should better be digits!
As far as security is concerned, it depends on how it is going to get exposed?
0
 
jonofatAuthor Commented:
Sorry, yes all digits, primary key and auto increment. Well, you won't ever see the ID in the address bar like page.php?userID=1 or anything like that. Is that what you mean by exposed?
0
 
K VDatabase ConsultantCommented:
Can't you POST them instead of GET ?? [post parameters]
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
jonofatAuthor Commented:
I am not GETTING them, I was just giving an example of what I thought you meant by exposed.

So, is it fine to just start from 1 and go up or should I make it a longer auto number? Does it matter?
0
 
Mohamed AbowardaSoftware EngineerCommented:
Encrypt the auto generated (member id + random string), this will ensure the value will be unique for each member.

Using rand() method to generate random number (you can also use mt_rand() which is faster method):
http://php.net/manual/en/function.rand.php
http://php.net/manual/en/function.mt-rand.php

Calculating md5() hash:
http://php.net/manual/en/function.md5.php

Example:
$uniqueID = $memberID . mt_rand(1, 50000);

Open in new window

0
 
jonofatAuthor Commented:
Okay, if it is random, how will I make sure that there aren't errors, like it won't add a user to the database because the ID already exists?
0
 
jonofatAuthor Commented:
Oh, sorry. Didn't read your post properly. I see the UNIQUE part now...
0
 
jonofatAuthor Commented:
Going to try this out when I get home. If it works I will give you your points. Thanks for your help.
0
 
K VDatabase ConsultantCommented:
AutoIncrement doesn't matter.
0
 
Mohamed AbowardaSoftware EngineerCommented:
Your code will be as the following:
$uniqueID = md5($memberID . mt_rand(1, 50000));

Open in new window


For additionally security, you might check in your database if there is any duplicatation, and if found (almost impossible), regenerate another hash.
0
 
Erdinç Güngör ÇorbacıPHP Development Team LeaderCommented:
why do you need to assign any other id's from record table record id's ..... usual customer_id index field  with unique and autoincrement Integer is enough for this. Making them incremental is very useful in for other tasks too  if you want you can add another user_id to them which is has random parts like above samples and in my opinion just unique usernames are also good enough for this.
0
 
Ray PaseurCommented:
If you assign client ids using sequential numbers you have the risk that a bad guy might discover this (perhaps when you set a cookie) and you have the risk that he might want to see what other ids could see in your site, so he might try impersonating them by using a different client id, ,which would be as simple as changing the number of the client id.

A better strategy for client authentication is available here:
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/Q_27017158.html

You can mark columns UNIQUE in MySQL and MySQL will throw error number 1062 if you try to insert a duplicate.  You can catch this error in mysql_errno() and regenerate any id that accidentally collides.
0
 
Mohamed AbowardaSoftware EngineerCommented:
You might also use something more complicated which will be impossible to discover by anyone:
$uniqueID = md5($memberID . mt_rand(1, 50000) . mt_rand(1, 50000) . time());

Open in new window

0
 
Ray PaseurCommented:
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 5
  • 3
  • 3
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now