Is it safe to turn a UUID into a short code? (only use first 8 chars)

Question

We use UUIDs for our primary keys in our db (generated by php, stored in mysql). The problem is that when someone wants to edit something or view their profile, they have this huge, scary, ugly uuid string at the end of the url. (edit?id=.....)

Would it be safe (read: still unique) if we only used the first 8 characters, everything before the first hyphen?

If it is NOT safe, is there some way to translate it into something else shorter for use in the url that could be translated back into the hex to use as a lookup? I know that I can base64 encode it to bring it down to 22 characters, but is there something even shorter?

EDIT I have read this question and it said to use base64. again, anything shorter?

Are you hoping that all but the first 8 characters of the UUID are superfluous? They're there to make it unique. Either way, if it's 8 instead of 22 characters, you really think that will make a friendlier user experience? I wouldn't spend time worrying about that. I've seen crazier URIs in the location bar and it certainly doesn't affect the site's usability. — webbiedave, Dec 30 '10 at 16:10
i was thinking something similar to how an md5 hash can be shortened ( read this somewhere but can't remember where) because the characters have a uniform distribution for a certain substring. — helloandre, Dec 30 '10 at 16:19
I see. Crypto hash functions are expected to have acceptable levels of collision occurrence and truncating the output string merely increases that chance. Your situation cannot afford any chance of "collision" (one id pointing to numerous records). — webbiedave, Dec 30 '10 at 16:31

score 16 · Accepted Answer · answered Dec 31 '10 at 07:26

16

Shortening the UUID increases the probability of a collision. You can do it, but it's a bad idea. Using only 8 characters means just 4 bytes of data, so you'd expect a collision once you have about 2^16 IDs - far from ideal.

Your best option is to take the raw bytes of the UUID (not the hex representation) and encode it using base64. Or, just don't worry much, because I seriously doubt your users care what's in the URL.

answered Dec 31 '10 at 07:26

Nick Johnson

99,939
16
127
196

1

FWIW you'd expect a collision well before 2^16 records, due to the birthday paradox – Christopher Swasey Dec 05 '18 at 13:49
1

For the record usually 4 bytes = 32 bits, so it would be 2^32 not 2^16 – Gonzalo Serrano Mar 25 '21 at 11:29

score 9 · Answer 2 · answered Jan 01 '11 at 16:40

Don't cut a single bit out of that UUID: You have no control over the algorithm that produced it, there are multiple possible implementation, algorithm implementation is subject to change (example: changed with the version of PHP you're using)

If you ask me an UUID in the address bar doesn't look scary or difficult at all, even a simple google search for "UUID" produces worst looking URL's, and everybody's used to looking at google URL's!

If you want nicer looking URL's, take a look at the address bar of this stackoverflow.com article. They're using the article ID followed by the title of the question. Only the ID part is relevant, everything else is there to make it easy on the eyes of readers (go ahead and try it, you can delete anything after the ID, you can replace it with junk - doesn't matter).

score 3 · Answer 3 · answered Dec 30 '10 at 16:06

3

It is not safe to truncate uuid's. Also, they are designed to be globally unique, so you aren't going to have luck shortening them. Your best bet is to either assign each user a unique number, or let users pick a custom (unique) string (like a username, or nick name) that can be decoded. So you could have edit?id=.... or edit?name=blah and you then decode name into the uuid in your script.

answered Dec 30 '10 at 16:06

Zeki

4,877
1
18
27

the picking custom names would work, but it's not always editing a user profile. could be something a user creates with nothing enforcably unique (think photo album) other than the uuid. – helloandre Dec 30 '10 at 16:13

score 1 · Answer 4 · answered Dec 30 '10 at 16:06

It depends on how you're generating the UUID - if you're using PHP's uniqid then it's the right-most digits that are more "unique". However, if you're going to truncate the data, then there's no real guarantee that it'll be unique anyway.

Irrespective, I'd say that this is a somewhat sub-optimal approach - is there no way you can use a unique (and ideally meaningful) textual reference string instead of an ID in the query string? (Hard to know without more knowledge of the problem domain, but it's always a better approach in my opinion, even if SEO, etc. isn't a factor.)

If you were using this approach, you could also let MySQL generate the unique IDs, which is probably a considerably more sane approach than attempting to handle this in PHP.

score 1 · Answer 5 · answered Dec 30 '10 at 16:09

1

If you're worried about scaring users with the UUID in the URL, why not write it out to a hidden form field instead?

answered Dec 30 '10 at 16:09

John Rasch

60,314
19
104
137

i wanted to find some compromise between this (naked url) and having some visual cue in the url of what you were editing. might end up with this approach tho. – helloandre Dec 30 '10 at 16:12

Is it safe to turn a UUID into a short code? (only use first 8 chars)

5 Answers5

Linked