ID generation

[angelochen960]

Hi,

Any way to generate a nice looking unique number, say a 10 digit
string which is unique in a database table, main objective is, to
avoid using a sequence number that people might be able to guess the
next number, if the code is generated, it can be checked against the
database , if exist, it will generate the next, so basically a method
to generate an almost unique number, any tips? thanks.

Angelo

 

[Sabine Dinis Blochberger]

Hi,

Any way to generate a nice looking unique number, say a 10 digit
string which is unique in a database table, main objective is, to
avoid using a sequence number that people might be able to guess the
next number, if the code is generated, it can be checked against the
database , if exist, it will generate the next, so basically a method
to generate an almost unique number, any tips? thanks.

Angelo

I don't know why you'd need obscurity in a database, but you would use
some hash to generate random unique numbers.

 

[angelochen960]

Hi Dinis,

Thanks, the need is simple, i just want to use it as part of url,
example:

http://localhost/read/92020202

this will look nicer than using a UID:

http://localhost/read/NmRjYjcyYTM6MTE4ZTQ3ZjYxMWY6LTdmZjk=

 

[rossum]

Hi,

Any way to generate a nice looking unique number, say a 10 digit
string which is unique in a database table, main objective is, to
avoid using a sequence number that people might be able to guess the
next number, if the code is generated, it can be checked against the
database , if exist, it will generate the next, so basically a method
to generate an almost unique number, any tips? thanks.

Angelo

Assuming that you actually have a sequence number in your database you
could use that number to generate your random-looking 10 digit number.

Either use the sequence number to reseed the built in Random PRNG, or
construct your own Linear Congruential PRNG. Provided you pick the
numbers correctly you can guarantee no repeats for a chosen range of
inputs.

rossum

 

[Lew]

Hi Dinis,

Thanks, the need is simple, i just want to use it as part of url,
example:

http://localhost/read/92020202

this will look nicer than using a UID:

Generated or otherwise artificial keys like that should not be visible at the
user level. It defeats their purpose, for one thing. Only data that have
meaning in the problem space should be visible to consumers of the
application. Find a better way.

 

[David Segall]

Hi,

Any way to generate a nice looking unique number, say a 10 digit
string which is unique in a database table, main objective is, to
avoid using a sequence number that people might be able to guess the
next number, if the code is generated, it can be checked against the
database , if exist, it will generate the next, so basically a method
to generate an almost unique number, any tips? thanks.

Why not just use a random 10 digit number
<http://java.sun.com/j2se/1.3/docs/api/java/util/Random.html>? To make
it look better (i.e. shorter) you could encode it in base 64
<http://mindprod.com/jgloss/base64.html>

 

[David Segall]

Generated or otherwise artificial keys like that should not be visible at the
user level. It defeats their purpose, for one thing. Only data that have
meaning in the problem space should be visible to consumers of the
application. Find a better way.

So how would you suggest I send the URL in a "Click here to confirm
your registration" email to a new subscriber?

 

[Marcelo Morales]

Hi,

Any  way to generate a nice looking unique number, say a 10 digit
string which is unique in a database table,  main objective is, to
avoid using a sequence number that people might be able to guess the
next number, if the code is generated, it can be checked against the
database , if exist, it will generate the next, so basically a method
to generate an almost unique number, any tips? thanks.

Angelo

What about the last ten digits of a timestamp?

Marcelo

 

[Wayne]

So how would you suggest I send the URL in a "Click here to confirm
your registration" email to a new subscriber?

How about this: Use a sequence number, encrypted with something like
crypt or an HMAC and encoded to base-64. When the user then clicks
the link, your servlet decodes the link, then decrypts it to recover
the serial number. The user sees a large random-looking link only.
Internally you can use simple sequence numbers in your DB.

-Wayne

 

[Roedy Green]

if exist, it will generate the next, so basically a method
to generate an almost unique number, any tips? thanks.

how about using SecureRandom.nextLong then prune it back with mask to
make the value positive & 0x7fffffffffff then modulus % 10000000L

See http://mindprod.com/jgloss/pseudorandom.html

 

[Kenneth P. Turvey]

how about using SecureRandom.nextLong then prune it back with mask to
make the value positive & 0x7fffffffffff then modulus % 10000000L

See http://mindprod.com/jgloss/pseudorandom.html

I don't know why just using Random isn't good enough for this purpose.

long val = (long) Random.nextLong() % Math.pow(36, 10);
System.out.println(Integer.toString(val, 36));

You'll want to write some code to zero fill the first few places to make
it look nice. You might want to play with the math a bit. This doesn't
distribute the random numbers evenly. I've done something like this
before and it works fine. This give you 3,656,158,440,062,976 different
possible values and still gets them all represented in a 10 place
number.

(java code untested)

 

[Daniel Dyer]

Hi,

Any way to generate a nice looking unique number, say a 10 digit
string which is unique in a database table, main objective is, to
avoid using a sequence number that people might be able to guess the
next number, if the code is generated, it can be checked against the
database , if exist, it will generate the next, so basically a method
to generate an almost unique number, any tips? thanks.

Define "almost unique".

If you want unique *and* random, use randomUUID():

http://java.sun.com/j2se/1.5.0/docs/api/java/util/UUID.html#randomUUID()

Dan.

 

[Tim Smith]

Define "almost unique".

If you want unique *and* random, use randomUUID():

http://java.sun.com/j2se/1.5.0/docs/api/java/util/UUID.html#randomUUID()

That's good if he uses all or most of the bits. But it sounds like he
wants a 10-digit number. If he chops a UUID down to 10 digits, he's
going to lose unique. He'll get a duplicate about every 100k he
generates.

 

[Lew]

How about this: Use a sequence number, encrypted with something like
crypt or an HMAC and encoded to base-64. When the user then clicks
the link, your servlet decodes the link, then decrypts it to recover
the serial number. The user sees a large random-looking link only.
Internally you can use simple sequence numbers in your DB.

The data can be arbitrary, but it has to have meaning in the problem domain,
not just as a database key. A validation token is perfectly valid. The
artificial keys of which I spoke are those used strictly by the database -
those are the ones that shouldn't appear to a user. You could use the token,
such as the one Wayne suggests, or other domain-meaningful data to identify
the record of interest.

 

[Arne Vajhøj]

Thanks, the need is simple, i just want to use it as part of url,
example:

http://localhost/read/92020202

this will look nicer than using a UID:

http://localhost/read/NmRjYjcyYTM6MTE4ZTQ3ZjYxMWY6LTdmZjk=

I think it will be almost impossible to come up with something
that are:
- short
- unique
- hard to guess

There is a reason that app servers use MD5 length strings for
session ids.

Arne

 

[Roedy Green]

I don't know why just using Random isn't good enough for this purpose.

He asked that it not be guessable. Using Random would not be all
that guessable, but in principle there are various clues.

 

[David Segall]

The data can be arbitrary, but it has to have meaning in the problem domain,
not just as a database key. A validation token is perfectly valid. The
artificial keys of which I spoke are those used strictly by the database -
those are the ones that shouldn't appear to a user. You could use the token,
such as the one Wayne suggests, or other domain-meaningful data to identify
the record of interest.

I understand the second and third sentence although I don't see why a
database generated token is inferior to Wayne's program generated one.
The other sentences seem to have conflicting statements. How can
arbitrary data have meaning in the problem domain? In what way is
Wayne's token "domain-meaningful"?

 

[Andy Dingley]

Any way to generate a nice looking unique number, say a 10 digit
string which is unique in a database table,

GUID

Standard algorithm, implemented in many standard libraries, including
many dialects of SQL. Simple, sorts out your problem very easily.

If you want a long explanation of why GUIDs are an excellent choice
for database table foreign keys, read Kimball's "Data Warehouse
Toolkit".

 

[Lew]

I understand the second and third sentence although I don't see why a
database generated token is inferior to Wayne's program generated one.
The other sentences seem to have conflicting statements. How can
arbitrary data have meaning in the problem domain? In what way is
Wayne's token "domain-meaningful"?

If you take the domain as user confirmation, then the use of secret tokens to
ensure that you got the response from the correct individual is very much part
of the domain of discourse.

You can generate such tokens in a database. However, this is a different use
case from using auto-generated primary keys as part of a physical database
implementation. I realize now that the use case I was addressing was not the
actual one under discussion in this thread. The difference is externality -
Wayne's tokens are designed for external, domain-specific use. DBMS
auto-generated physical keys are not. They share details of implementation
but they are different in purpose.

Given that, I retract my original comment against auto-generated keys as not
germane to this particular use case. Some sort of encrypted token would be
useful, assuming the usual safeguards against man-in-the-middle attacks.