I have answered with my own implementation (below), where I'd appreciate if you could check the maths and logic, but I realise there are other possibilities as well.
I'm trying to generate 32 random characters to be used in a registration URL.
The new account is partially created by a member of staff (setting the name/email), and a plain text email is sent to the new user so they can confirm their email address and set their password.
Trying to keep to [A-Za-z0-9] characters, I believe this creates a base 62 system, taking just under 6 bits to store... which is just over 190 bits of entropy? or 190.53428193238?
As this is a security feature, I don't believe uniqid()
alone is a good idea, as this is based on the current microtime.
And I don't believe using encryption or hashing of the users ID or email address is a good solution either (collisions, low entropy, and presumably secured by a single key).