7

i'm using the PHP mail() function to send mails with attachment. Therefore the PHP source contents an boundary to define where the attachment begins and ends.

So the question is: are there any ruels for creating this MIME boundary (exampt that are only letters and numbres are allowed) i still know this SO question -> What rules apply to MIME boundary? Is it necessary to create an boundary form an HASH? Because the following also works: 

$headers .= "Content-Type: multipart/related; boundary=\"abc\"";
[...]
$msg .="--abc\n";
[...]
$msg .= "--abc--\n\n";

Is there a reason, why a MIME boundary should be an unique value?

..i didn't found any information at the Internet.

Thank you!

Community
  • 1
  • 1
The Bndr
  • 13,204
  • 16
  • 68
  • 107
  • Don't build your own mime messages. Use PHPMailer or Swiftmailer to do it for you. – Marc B May 30 '11 at 15:58
  • 2
    ..okay.. but why not? PHPMailer or Swiftmailer are 3rd party tools, right?! – The Bndr May 30 '11 at 16:03
  • php's mail function does as little as possible while still being able to send mail. it's highly likely that anything you send with it will be flagged as spam due to missing headers and whatnot. – Marc B May 30 '11 at 16:10
  • the mails will be send inside an closed network. The server is on the mailservers white-list, so i will have no "spam"-issues. But - thank you for that information. – The Bndr May 30 '11 at 16:13
  • The OP didn't ask for alternatives for using PHP mail command. So commenting about using phpMailer is not helpful to the discussion. – Rick Hellewell Jan 21 '23 at 19:59

2 Answers2

3

MIME boundaries should be something impossibly unlikely to appear in the user's actual message. Hashes are a good option because they are long and unique. Uniqueness also makes it difficult for someone to mess up their messages by figuring out what boundary you use and including it in their message. However, I can't find any requirement that boundaries be unique, just that the entire line be under 70 characters.

user775598
  • 1,323
  • 9
  • 7
  • 1
    If the boundaries are not unique, it may affect having mail chains or attaching emails as an attachment. – ThinkBonobo Apr 02 '14 at 21:59
  • Hashes aren't unique in this sense. A hash by definition is a many-to-one function, so by definition, not unique over its domain, in this case mail messages. (If they were unique, we'd use them to get awesome compression, right?) – Spike0xff Apr 21 '14 at 16:33
3

Nothing says the boundary markers have to be hashes, but they MUST be unique. Think of what would happen if the actual email text you're inserting naturally contains the words --abc-- somewhere.

Your email would look something like this:

--abc--    <--actual boundary
This is my email. There are many like it, but this one is mine.
Now for some reason I'm going to put in a line that shouldn't be there
--abc--    <--part of the email
There it was. Did you see it? No, you didn't, because the mail client saw a boundary
line and sliced it out. Because of this extra boundary, now the email has 2 sections,
instead of 1.
--abc--    <--actual boundary

So... How is a mail client to know what's part of the email and what's just "overhead"? That's why you use unique boundaries.

Hashes are simply the easiest method. It's unlikely in the extreme that an email text would happen to contain its own hash value in the exact spot where it could be seen as a boundary marker.

Marc B
  • 356,200
  • 43
  • 426
  • 500
  • 2
    So it's not important to generate one boundary on every run. (which costs CPU power). It's enough to create one long hash, in order to use this hash for all mails. – The Bndr May 30 '11 at 16:19
  • 1
    No. You have to generate the hash each time. Nothing says the hash can't show up naturally in some other email's body.. This is the problem with 'in-line signalling'. No matter how unlikely it is for the boundary marker to appear naturally, it can never be impossible. – Marc B May 30 '11 at 16:24
  • 1
    I'm not clear how computing a hash of the bounded data is more efficient than generating a pseudo-random boundary and just searching the bounded data for it, given how efficient modern string-search functions are. And then you get a boundary that's actually unique, instead of statistically 'unique'(ish). – Spike0xff Apr 21 '14 at 16:29
  • 1
    I agree with Spike0xff here. What the uniqueness or efficiency gain of calculating a hash over a randomly generated string? Also, what is to say that the hash of the bounded data doesn't naturally show up in that bounded data? The chance of that will surely be equal to or greater than a random string showing up in that bounded data? – Marcel Jun 24 '17 at 10:44