Posted by Gordon Burditt on 01/31/07 00:31

>I have created a script which attaches form uploaded files to an
>email. What security is suggested to prevent attachments which may
>contain viruses, etc. from being uploaded?

If the uploaded file is coming from an untrusted source, don't trust
it. It's probably SPAM. The worst stuff is just straight text
files that contain stuff that infects human minds (like MAKE MONEY
FAST chain letters).

>I am running finfo_file()
>to determine the mime-types of the files being uploaded, so it should
>easy to exclude certain types of files based on this, or the file's
>extension.

Not nearly enough. MIME types and file names can be arbitrarly set to
misrepresent the contents.

[Back to original message]