Nothing can be "hacked" by getting the code, all the user could do is activate an invalid email, that's about it. To do this, they'd have to have a general idea of how you make the code. If they saw the function you used,t hey could generate a list of possible codes and then try them with trial and error.
If you want to use something completely random, check out the generateRandom() function I created here:
I may change it later on down the road to make it more "random" (right now it generates more letters than numbers, since there's a 52:10 ratio for mixed alphanumeric). Change it how you wish if you want to, up to you. I always use this over any sha1() or md5() however, if I'm looking for randomness.
* @credit Dubz
* Generates a random string
* @param $length The length of the string to return
* @param $lower Include lower-case characters
* @param $upeer Include upper-case characters
* @param $numeric Include numeric characters
* @return A randomly generated string or false if empty
function generateRandom($length = 8, $lower = true, $upper = true, $numeric = true)
$length = (String)floor($length);
if(!ctype_digit($length) || $length < 1)
$array = array();
$string = '';
$array = array_merge($array, range('a', 'z'));
$array = array_merge($array, range('A', 'Z'));
$array = array_merge($array, range('0', '9'));
while(strlen($string) < $length)
$string .= $array[array_rand($array)];
If you want to check out the other functions I've come up with, which I always include in every one of my applications, you can do so here.