When you say automatically populate, do you mean on a new page load, or withought reloading the page?

Either way, the PHP code would be pretty much the same. If you have the details for the user in a database, you have to retrive the users details: eg:

[PHP]
$query = "select * from users where username = $username";
$result_array = do_the_db_query($query);
[/PHP]

Then in the result just take out what you want using substring:

Eg: Assuming you $result_array is an associative array indexed by the field names...

[PHP]$username = $result_array['username'];
$year = $result_array['year'];
$rand = random_2_digit_number_from_system_clock();

$part1 = substr($username, 0, 2);
$part2 = substr($rand , strlen($year) - 2, 2);
$part3 = $rand;

$rand_id = $part1.$part2.$part3;[/PHP]

What is this random Id for anyways?
If you're creating a random ID for security or granting access.. like session ids or something like that then this would NOT be a way to do it... the id is way to easy to guess. Its only 1/100.

What would be the best way to generate a random id, which include user_name of "stephen"?

I'd look at the rand() function. It will probably do what you want.

It depends on what you want to us the random ID for.

Usually you'd want either one that changes every time its used (like for password validation) or one that stays the same for a specified time (like a session id).

Most of what you need for sessions and the like are already implemented in PHP functions.

If its something unusual then you can use the rand() function that Puckdropper mentioned.

What to note though is that the rand() function is useless unless you know the techniques for making a random number secure. Explaining this would not make sense unless we know how you're implenting that random number, and what for..

Heres an explanation of the two common uses:

Password authentication.

Most web apps store passowrds as a cryptographic hash. The hash is a "random" number of fixed length generated for any input number. The generated hash for the same number is always the same, yet guessing the input number from the hash is very hard.
PHP has functions for widely used hash algorithms like: md5 (not recommented) and sha1.

To authenticate the password, usually its sent as plain text to the server, then the server will create the hash of the password and compare it to the one in the database.

This method is very insecure, as the password is clearly visible when sent over the network, unless you're using an SSL connection.

A step up would be to create the hash of the password on the client using client side scripting. Then send the password hash over the network.

Heres some links to popular md5 and sha1 implementations in JavaScript.

http://pajhome.org.uk/crypt/md5/
http://www.movable-type.co.uk/scripts/SHA-1.html
http://www.cs.eku.edu/faculty/styer/...t/JS-SHA1.html


Unfortunately even if you send a hash of a password, its still suseptible to reply attacks. Someone sniffing the network can just view the password hash, and then resend this hash to log into the users account.

Therefore you will usually want to make sure your authentication mechanism takes a different authentication parameters each time.

How you do this is by adding a salt to the password and/or username each time it has to be authenticated. The salt is a random number that is appended to the input string before hashing the string.

So if the user has the password, "pass", then you could send the client the salt, "xyz" and the client has to make a hash of, "passxyz", and send the hash back to the server.
The server can then get the users password from the database, joe, and put it together with the salt, xyz, and make a hash. If the two hashes match then the user supplied the right password, even though it was never sent over the network.
The server can then change the salt for each authentication.

Now even though you have a hash of the password, and have salted the password before hashing it again, it still suseptible to "tampering".
An attacker could be sniffing the network and intercept the HTML password page being sent over HTTP to the user.
The attacker can then change the HTTP message, and thus the HTML page, to their liking before sending it on to the client. They could remove the javascript hashing mechanisms, and make the user send their password as plain text over the network so they can sniff it on its way back to your server.

The only way to stop this is to have the HTTP sent over an SSL connection (HTTPS). Unfortunately for most developers this is usually beyond their resources...

Browsers do have inbuilt mechanisms for password authentication defined by the HTTP protocol, like: basic authentication (I would NOT recommend), http digest authentication etc. but for developers these mecanisms are not only hard to use, but hard to control.

Session IDs:

Session IDs are suseptible to reply attacks no matter what you do. The session ID has to be sent from client to server each time to authenticate the current session. The more it is sent, the more chance someone can sniff it over the network and send it to the server trying to fool the server into giving them access.

Most implementation will also save the users IP and cross reference that with the session so only a valid IP range should be able to use a session. This is more useless then most think, IPs can be easily spoofed, and if you're sniffing the network anyways, it means youre on the same IP range?

Here's somethinig to read:
Heres a good read on session security:
http://www.cgisecurity.com/lib/SessionIDs.pdf

The best you can do with sessions is weed out the social engineering tactics (phising etc.) and brute force attacks (cracking) on session IDs as well as "traffic analysis" (good guesswork).

---

In your PHP code, when generating a unique ID for authentication in any way, some things to note are:

Never authenticate the raw unique ID. Always authenticate the HASH against your databse.
Its best to salt your Unique ID if you can (like for passwords) so that you aren't suseptible to reply attackes.
Make sure to try and eliminate brute force by giving the random number a larger range.

Example:

[PHP]$rand = sha1(rand(1, 100));[/PHP]

Thants a very weak random ID since its only 1/100. Even if its been hashed.

Do not follow a pattern that can be easily guessed through "traffic analysis". Hashing the date is an example of a bad habit for security. Hashing userid's is even worse, but it seems to be just as common. If you're using the date, only use it to lengthen your random ID, not as the random ID itself.

Note that hashes "cannot" be reversed, but they can be analyzed!

eg:

[PHP]// monday
$rand = sha1($password.'monday');

// tuesday
$rand = sha1($password.'tuesday');[/PHP]

Even though it looks good, even if you replace it with the timestamp, its still a very obvious pattern.

You must have spent a lot of time writing that. Good explanation though.

I've read the posts, and I thought of the following: If this is the first time you create the user, it will be wiser to use a sequential values instead of random. Alhtough random is good enough, still you may result in duplicate usernames. To avoid duplicates you will need to write extra code checking for existing users.

Basicly you should follow some algorythm like this:
1. Enter your new user into your database.
2. Get his record ID
3. Generate his userID
4. Insert his userID next to his name into the sql database.

so, it should be something like this

[php]//1. Enter your new user into your database.
//get username from previous form
$user=$_POST['user'];
// login into mysql server and prepare data for writing
$connect=mysql_connect('localhost', $user, $pass);
$selectdb = mysql_select_db('mydb');
$query = "insert into users_table set
username='$user';";
$run_query=mysql_query($query);
//2. Get the ID
$id=mysql_insert_id();
//3. Generate users ID
$first_chars=substr($user, 2);
$year=date('y');

$new_user_id= $first_chars.$year.$id;

//4. inserting the new user id

$query="update users_table set userid='$new_user_id' where id='$id';";
$run_query=mysql_query($query);
if (!$run_query) {
echo mysql_error();
}
else {
echo 'your user name is '.$user.' and user id is '.$new_user_id ; }[/php]
That should be all.

Ok, I'm pretty new to the whole coding with Databases and such. Infact I'm still in High School and need help on this very same subject. Using coldfusion and Microsoft access.

I'd like to know exactly how i'm suppose to Create a page to allow users to give their first and last names along with their email, then after clicking submit, the site will auto generate their username: First letter of their name and then their full last name. ex. Carl Flanigan = CFlanigan. and auto generate a password as a random string of numbers and Email it to them.

Normally I wouldn't ask for help but my teacher is unfortunately useless and attempting, without result, to keep the other students off internet games.

I'd appreciate it if you could explain how the code works, as i've tried many things and failed for my trouble.

Much obliged!

Might I direct you to the Coldfusion forum, valianthero?

Yes, Thank you. I noticed my mistake soon after and have left a similar post there. Unfortunately i don't seem to be receiving the help I need. Now this i suppose falls under both PHP and Coldfusion, so How would one Translate/Convert PHP to Coldfusion? Since this code is practically exactly what i need, although i'm unfamiliar with PHP and may as well be written in Dutch.