The criteria is basically this:
Initial thoughts:
printf('%u',crc32(microtime(true)));
Details: When uploading a file, I basically want to keep the unique file name as named by the uploader, so to avoid any naming collision I would like to put it in a uniquely named directory ...
Language was not specified, in Ruby I would do:
require 'digest/md5'
Digest::MD5.hexdigest(Time.now.to_s)
=> "f531384b3cc8c60b7c5b7ad087cb0ae4"
This sounds like a "security by obscurity" problem. I would recommend against anything which creates potentially sensitive data and exposes it (even for a short time) in a manner which is secure only because there is an expectation that nobody will guess the location. Brute force attacks exist, and they can rip apart this type of "security".
[Edit] Wait a second. PHP includes right in the standard library a unique id generator function. There are other approaches too.
I'd use something like:
$salt='Whatever you want';
$folderName=SHA1($salt.date('U'));
Date('U') returns the seconds since the Unix Epoch (January 1 1970 00:00:00 GMT) so it's probably going to be unique unless you are generating multiple folders at the same time?
In that case, just subtly change the $salt value (make it a username or random number etc).
The classic technique looks something like
+ uploader-name
+ 20090401
+ 010000 // hhmmss
+ 013000 // hhmmss
+ 014500 // hhmmss
...
+ 20090402
adding levels, appending "a", "b", "c", ... etc. based on desired granularity.
This works esp. well if the user relates to the files at all chronologically.
You end up doing a few existence enumerations, but it's not that painful. I've used this many times (including with PHP), primarily because user resistance is lower than for any alternative I've found.
If you are so inclined you can beautify the date expressions - "2009-Apr-01", "01:45AM", etc.
Basing the hash (either md5 or sha) on the time makes it guessable if the user knows roughly when the directory is generated. All they need to do is setup a simple script to generate all the possibilities covered a few seconds either side and then hit the site looking for a response. Adding a salt, while it will help, doesn't do much good in the long run.
To the OP, the above stands true for any method. If you a running a very fast server, you will need to monitor the hits against random directories. Only have 5 letter directories means someone could manually hit the site enough times to discover the directory. 15 does increase it somewhat, but with a few machines doing it in a scripted way, it isn't out of possibility.
C++ standard has functions tmpfile and tmpnum, both at cstdio (stdio.h), and creates a temporary file and temporary file name accordingly. tmpfile is deleted at the end of the program though. I would link them but sadly I can't post links just yet.