1

I'll try to be simple, clear and direct. My problem is the following: I have a project where I need to generate codes for scratch cards. The scrath cards are printed like the ones you use for charging your mobile phone.

The system is that people buy the cards, get the codes on the cards, then call a TOIP server (Asterisk) and inserts the code to access a service. It is given three attempts to enter the right code.

I thought to make a PHP program to generate theses codes, so I surely need to pass by a PRNG (Pseudo Random Number Generator). My constraints are:

-As the people are calling, the code shouldn't be too long, but long enough to ensure security.

-I need the system to be fast enough when the comparison is made between the code entered and the one stored in the database (needed for statistics purposes).

So my questions is:

-Is it right to use a PRNG?

-If yes, do you know one strong enough to generate good random numbers?

-What standards are used by the industry?

-How to make the comparison algorithm fast enough if the comparison is made on million of codes?

Thanks for your time and answers.

NullUserException
  • 83,810
  • 28
  • 209
  • 234
RedLion
  • 11
  • 1
  • 2
  • What do you mean by "comparison"? Are you just checking if the code is present/valid? – NullUserException Sep 20 '11 at 20:58
  • Another option is to generate hashes based on data in your db + salts. For this purpose, a properly salted hash output would be just as hard-to-crack as a proper RNG's output. – Marc B Sep 20 '11 at 21:20
  • **@NullUserException** : Exact. Sorry if it was ambiguous. in fact I want the check to be faster as possible. Telephone calls are in "real time" domain, so...; **@Marc B** : Thanks for the tip, I'll study this way. – RedLion Sep 21 '11 at 20:16

1 Answers1

3

Yes, PRNG will work fine after tweaking it little bit.

http://en.wikipedia.org/wiki/Random_password_generator

You can refer to the password generator code in the link above. You have to make sure first digit is not 0 and use only digits not alphabets.

once a number is generated you have to check if it exists in DB or not before you insert.

Normally, 16 character/digits are used by industries. You can generate 20 digit numbers also to make the whole process faster.

To make a matching faster you have to index the field in database. most probably it will be a char(16) or char(20).

Note : as there is no need of varchar here char is the best option.

Keep the Mysql table engine as MYISAM for fast comparision.

Imdad
  • 5,942
  • 4
  • 33
  • 53
  • 1
    Thanks, it was enlightening; I think I have enough elements to write the program. Anyway, 16 digits seems too long, 10 for me would be better; the client is already paying the communication, the numbers of digits he/she is typing shouldn't be too much. – RedLion Sep 21 '11 at 20:22