简体繁体 English

上传文件并发送到电子邮件

[英]Upload file and send to email

原文 2013-04-09 20:09:43 7 1 php/ email-attachments

This might be a stupid question but I just want to know if I have a form that allow user to upload upto 3 images files and email those images to me to a outside server. 这可能是一个愚蠢的问题，但是我只想知道我是否有一个允许用户上传最多3个图像文件并将这些图像通过电子邮件发送给我的外部服务器的表单。 The question is if I just check the extension of the to make sure it is the type of file I wanted without checking the actual file type will that be any security issues for my server? 问题是我是否只检查的扩展名，以确保它是我想要的文件类型，而不检查实际的文件类型，这对我的服务器是否有安全性问题？ I know upload file have to first save the file temporary to my server. 我知道上传文件必须先将文件临时保存到我的服务器。 Any help will be appreciated. 任何帮助将不胜感激。 thx. 谢谢。

1 个解决方案

The file extension is definitely not a reliable indicator of file type -- any file type can be named with any extension. 文件扩展名绝对不是文件类型的可靠指示-任何文件类型都可以使用任何扩展名命名。 Something like libmagic can help you better determine the file type, if that's what you want to do. 如果您要这样做， libmagic可以帮助您更好地确定文件类型。

That said, so long as your server does not execute any files sent to it, and acts only as a mailer, I don't see any risk involved with users uploading malicious files, at least not to the server itself. 就是说，只要您的服务器不执行发送给它的任何文件，而仅充当邮件程序，我就不会看到用户上传恶意文件的风险，至少不会上传到服务器本身。 Other aspects of the server configuration may make the existence of executable files on the server a problem, but the mailer itself isn't a particular risk. 服务器配置的其他方面可能会使服务器上存在可执行文件成为问题，但是邮件程序本身并不是特别的风险。

Of course, setting up any application that allows someone to send mail from the web requires a certain level of authorization security, to avoid having your application used as a spamming mechanism. 当然，设置任何允许某人从Web发送邮件的应用程序都需要一定级别的授权安全性，以避免将您的应用程序用作垃圾邮件发送机制。 If the mail is only being sent to yourself, then you're the only one who would get spammed, but it still might be rather annoying. 如果只是将邮件发送给自己，那么您是唯一会被发送垃圾邮件的人，但它仍然可能会令人讨厌。