Using RAND with MD5 to generate unique key in MYSQL unique field. Possible? Acceptable practice?

Question

I'm trying to implement a simple password reset system for my website. The idea is this:

1. User requests password reset link.
2. CodeIgniter system uses RAND and MD5 (I know it's unsecure and broken, probably best to use SHA1 or better, not the point) via MYSQL to generate a random string and hash it, producing 32bit key.
3. User is sent a link consisting of the key.
4. The rest is fairly obvious.

I want to find out if -

A: MYSQL functions RAND with MD5 (or better) being generated into a field set as UNIQUE, will automatically regenerate if they happen to generate a key that already exists in the table under that field.

B: This is an acceptable method to generate password reset links. Or is it better to hash the user's email address with a salt to prevent duplicates?

Obviously this is just the basic implementation and security needs wrapped around the whole process.

Answer 1

There's not much point in using a more sophisticated hash against simple, predictable values. Using the email as a salt helps - but not much. If you only need a random value then why not use a random value - dressing it up with pseudo-cryptography doesn't help the security (it actually undermines it here). Just generate a random number (actually, you probably want to generate several random numbers, convert to a more compact base and concatenate) and store it alongside the login information (you need to preserve the original password and unset the unlock if the user logs in successfully anyway).