Re: Safe for SQL

It returns a 32 byte string, but you only have 10 bytes of entropy, 2 from the process id, 4 from the time, and 4 from the random number generator. Maybe this is enough, maybe it isn't. There's certainly no garantee it will create unique numbers.

Abigail

Comment on Re: Safe for SQL

Replies are listed 'Best First'.
Re: Re: Safe for SQL by hiseldl (Priest) on Dec 10, 2002 at 20:14 UTC
You are absolutely correct, from RFC 1321: ...It is conjectured that it is computationally infeasible to produce two messages having the same message digest, or to produce any message having a given prespecified target message digest... So, just using the MD5 algorithm means that there is no gaurantee of a unique message digest. ;-) For something such as a session id for a web script, this is usually sufficient. To resolve your argument, you could add more text until you are reasonably certain that your entropy message is not reproducible: `... while(<LINES_OF_TEXT>) { $md5->add($_); } ...` [download] ...the downside is that it takes longer to compute. One way to gaurantee that the number is unique for that 'insert' statement is to have that database generate the number either from a sequence or stored procedure. I was just trying to keep it simple and sufficient. :-) -- hiseldl What time is it? It's Camel Time!	[reply] [d/l]

Replies are listed 'Best First'.

Re: Re: Safe for SQL
by hiseldl (Priest) on Dec 10, 2002 at 20:14 UTC

You are absolutely correct, from RFC 1321:

...It is conjectured that it is computationally infeasible to produce two messages having the same message digest, or to produce any message having a given prespecified target message digest...

So, just using the MD5 algorithm means that there is no gaurantee of a unique message digest. ;-)

For something such as a session id for a web script, this is usually sufficient. To resolve your argument, you could add more text until you are reasonably certain that your entropy message is not reproducible:

...
while(<LINES_OF_TEXT>) {
  $md5->add($_);
}
...
[download]

One way to gaurantee that the number is unique for that 'insert' statement is to have that database generate the number either from a sequence or stored procedure.

I was just trying to keep it simple and sufficient. :-)

--
hiseldl
What time is it? It's Camel Time!

[reply]
[d/l]