Well what's stored and assigned to a specific user is randomly generated. But while testing the application, I noticed while redeeming a code that I could create a bogus code and it would count. Perhaps I've not fully created the most logical tool, but at this point I have to seal up this hole in my process.
I need to both stop duplicates and prevent bogus codes from being used.