(10-30-2015, 10:10 AM)iamthwee Wrote: With a random 16 alphanumeric string, I don't even check if it is duplicated. The chances are too low. If you're still worried increase the string length.
Your logic is based on the precondition that it is indeed a random string ... sadly, it's not.
It looks random, but mt_rand() (which provides the "randomness" here) is not random at all; it's output is almost 100% predictable once you know the seed value, and the seed is IIRC based on the process ID. So the chances of a collision are way higher than you would expect.
That's why this function is not good for cryptographic purposes.