PHP Mailer上传文件的正确方法

Question

Hi can someone help with this bit of code I am trying use to handle and test my file uploads in PHPMailer? It basically checks that the file is correct and then renames the file name by using the users name plus field name and a date and time. There are multiple files but I am not using a multi uploader but instead separate fields so I can keep a track of which file is which.

The script seems to work and there are no errors in the php error logs but I'm told this is a security flaw in my previous post and that my "pathinfo call should be testing the path to the tmp_name of the actual file and NOT the given original name. This is a serious security flaw."

Unfortunately I'm not sure which of the 2 usages of pathinfo is wrong. If I change $file["name"] to $file["tmp_name"] for $imageFileExt then I don't get a file extension and if I change $file["name"] to $file["tmp_name"] on $imageFileType then I just get wrongfile error. Any help would be much appreciated. Thanks.

    foreach ( $_FILES as $key => $file ) {
    
    //get the file extension
                $imageFileExt = strtolower( pathinfo( $file["name"], PATHINFO_EXTENSION ) );
    
//change the name of each file in $_FILES array to 
//the persons name plus file field plus date plus time plus file extension 
//such as :joe_bloggs_bank_statement_1_9_10_21_10_55.jpg
//and joe_bloggs_pay_slip_1_9_10_21_10_55.jpg
                $file['name'] = clean($_POST['appName']). "_" . $key . "_" . $dateKey . "." . $imageFileExt;
    
    // get the file type
                $target_file = $target_dir . basename($file["name"]);
                $imageFileType = strtolower(pathinfo($target_file,PATHINFO_EXTENSION));
    
    
    // get file size
                $check = getimagesize($file["tmp_name"]);
                if($check === false) {
                    $fileMessage .=  $key."=noimage,";
                    $uploadOk = 0;
                }
    
    // Allow certain file formats
    
            else if($imageFileType !== "jpg" && $imageFileType !== "png" && $imageFileType !== "jpeg"
                   && $imageFileType !== "gif" ) {
                    $fileMessage .=  $key."=wrongfile,";
                    $uploadOk = 0;
                }
    
    // Check if file already exists
            else if (file_exists($target_file)) {
                    $fileMessage .=  $key."=fileexists,";
                    $uploadOk = 0;
                }
    
    
    // Check file size
            else if ($file["size"] > 20000000) { //20mb
                    $fileMessage .=  $key."=toobig,";
                    $uploadOk = 0;
                }
    // creates a set of links to the uploaded files on the server 
    // to be placed in the body of the email (the files themselves do not get attached in the email
                $fileString .= strtoupper($key).": <a href='example.com/uploads/".$file['name']."'>".$file['name']."</a><br>";
    
    
            }

Answer 1

I think you may be confused by the distinction between these things. The file itself is a bunch of bytes provided by the user. Its filename is metadata about that file, also supplied by the user. The tmp_name is also metadata about the file, but is safe because it is not supplied by the user.

At no point are you using move_uploaded_file() or is_uploaded_file() . These are necessary to validate that the uploaded files are real uploaded files that have been handled correctly by PHP before your script is run. That's the very first thing you should do before trusting anything else in $_FILES .

The reason it's important to not trust the name property is that filenames can be used as an attack vector, for example by including path traversal sequences (such as ../ ), SQL escapes ( ' ), or characters that might do unexpected things if used in shell contexts ( \ , > , etc). The tmp_name is generated by PHP itself and does not contain user-supplied data, though you need to use the functions mentioned above to ensure that this is real data and not also injected by the user.

Similarly, the filename can't be relied upon to tell you accurately what type a file is – search for "polyglot files" for why that can be a problem.

You don't show what's in your clean() function, so we can't say whether what it does is effective.

In your previous question I referred you to the PHPMailer send file upload example . This shows how to handle an upload safely. For example, it takes whatever name is provided and hashes it, producing a string that is guaranteed to be safe from user-supplied data that is not.