but it is not me who is "avoiding perfectly working modules"...
Never said that, or at least I didn't intent to do so.
if only for the sake of providing an example, I construct the boundary as '==' . encode_base64( join('',gettimeofday), '')
Just for fun, I looked up PHPMailer, found https://github.com/PHPMailer/PHPMailer/blob/master/class.phpmailer.php. In createBody(), the boundary strings (PHPMailer seems to use up to three different ones) are generated like this:
$this->uniqueid = $this->generateId();
$this->boundary[1] = 'b1_' . $this->uniqueid;
$this->boundary[2] = 'b2_' . $this->uniqueid;
$this->boundary[3] = 'b3_' . $this->uniqueid;
And generateId() is this:
return md5(uniqid(time()));
I've learned that PHP functions often have surprising behaviour and/or badly choosen names, so I looked up all three of them:
So, what happens is that time() returns the current time as an integer. That is used as a prefix for the uniqid() function. And of its return value, an MD5 hash is created and returned as a hex string. So, the three boundary strings used by PHPMailer are identical MD5 hashes except for the "b1_", "b2_", and "b3_" prefixes.
I can't resist a little bit of documentation bashing, though.
time() is documented as returning the current time measured in the number of seconds since the Unix Epoch (January 1 1970 00:00:00 GMT). First problem: Unix time is defined in UTC, not GMT. Second problem: No word of leap seconds. Unix time completely ignores leap seconds, it is defined as "number of non-leap seconds since the epoch". PHP does not mention ignoring leap seconds, so I could conclude that they are in fact counted. I would expect PHP's time() function to return a number ending in 7 when called at any full minute, because there were 37 leap seconds since the Unix epoch, as of today. Let's see:
alex@wiki pts/0 13:42:00
/home/alex>php -r "echo time();"
1493898120
So, no, PHP's time() does NOT return the "number of seconds since the Unix Epoch (January 1 1970 00:00:00 GMT)". Instead, it returns what PHP documentation authors call the "current Unix timestamp", i.e. Unix time, NOT counting leap seconds.
This is the PHP implementation used on 64-bit Slackware 14.2, identifying itself as following:
PHP 5.6.30 (cli) (built: Feb 8 2017 21:28:32)
Copyright (c) 1997-2016 The PHP Group
Zend Engine v2.6.0, Copyright (c) 1998-2016 Zend Technologies
with Zend OPcache v7.0.6-dev, Copyright (c) 1999-2016, by Zend Tec
+hnologies
uniqid is supposed to Generate a unique ID. Its return value is documented to be a timestamp based unique identifier as a string. Interesting. Someone seems to have solved the problem of creating really unique identifiers. Or so it seems. The documentation contains a warning:
This function tries to create unique identifier, but it does not guarantee 100% uniqueness of return value.
So, is the return value unique or not? A simple yes-or-no question, like "are you pregnant?" There is no "I'm 42.3% pregnant". You are, or you aren't. And uniqid does NOT return a unique ID.
Another warning explains that adjusting the clock may be a problem, too:
This function does not guarantee uniqueness of return value. Since most systems adjust system clock by NTP or like, system time is changed constantly. Therefore, it is possible that this function does not return unique ID for the process/thread.
Why are process and thread mentioned in that warning? If a function returns a unique value, that value should not depend on the process or thread. Of course, if all that function does is mixing time, process ID and/or thread ID, the return value won't be unique when time is adjusted. But then, why would one call that function uniqid?
Then, parameters seem to have evolved over time. The first one is a prefix string. Why on earth would anyone do that? String contatination can easily be done after calling the function, as in $id = $prefix . uniqid();. The intention is clear: Choose a unique prefix per machine, combine that with some magic function that returns unique IDs per machine, and you have a globally unique ID. Unfortunately, that does not work if the magic function is not magic at all but returns some garbage based on time and probably process ID and / or thread ID.
The next parameter is a boolean called more_entropy that enables uniqid() to add additional entropy (using the combined linear congruential generator) at the end of the return value, which increases the likelihood that the result will be unique. It is the recommended way to fix the problem of adjusting time:
Use more_entropy to increase likelihood of uniqueness.
A CLCG is a pseudo-random number generator, which generates a fixed set of numbers that will repeat. No, it won't make the result unique. The result will be less likely to be non-unique, but it DOES NOT make the result unique. How less likely depends on the CLCG implementation and its input. It might be good enough for non-crypto purposes.
It might be fatal to use uniqid, at least without more_entropy set to true, to create a session ID, for the same reasons explained in Re^4: Randomness encountered with CGI Session and in Re^6: Randomness encountered with CGI Session. And, as explained in the latter posting, UUIDs and GUIDs are not guaranteed to be unique, but they are only very likely to be unique.
PHPMailer does not use any of the parameters for uniqid, so md5 is run on the current time in seconds concatenated with the current time in microseconds mixed with process and/or thread ID. It's not perfectly random, it can be predictable, and it does not matter at all. It's some more or less unique garbage that is unlikely to be contained in any MIME message.
Alexander
--
Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)
| 