By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
455,643 Members | 1,797 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 455,643 IT Pros & Developers. It's quick & easy.

Mail Attachment Security

P: n/a
I have created a script which attaches form uploaded files to an
email. What security is suggested to prevent attachments which may
contain viruses, etc. from being uploaded? I am running finfo_file()
to determine the mime-types of the files being uploaded, so it should
easy to exclude certain types of files based on this, or the file's
extension.

Also, I would like to send an alternative text with this email. Is
there a good script out there that removes HTML and converts to simple
formatted text?

TIA!
Jan 30 '07 #1
Share this Question
Share on Google+
3 Replies


P: n/a
>I have created a script which attaches form uploaded files to an
>email. What security is suggested to prevent attachments which may
contain viruses, etc. from being uploaded?
If the uploaded file is coming from an untrusted source, don't trust
it. It's probably SPAM. The worst stuff is just straight text
files that contain stuff that infects human minds (like MAKE MONEY
FAST chain letters).
>I am running finfo_file()
to determine the mime-types of the files being uploaded, so it should
easy to exclude certain types of files based on this, or the file's
extension.
Not nearly enough. MIME types and file names can be arbitrarly set to
misrepresent the contents.

Jan 31 '07 #2

P: n/a
On Wed, 31 Jan 2007 00:31:40 -0000, go***********@burditt.org (Gordon
Burditt) wrote:
>>I have created a script which attaches form uploaded files to an
email. What security is suggested to prevent attachments which may
contain viruses, etc. from being uploaded?

If the uploaded file is coming from an untrusted source, don't trust
it. It's probably SPAM. The worst stuff is just straight text
files that contain stuff that infects human minds (like MAKE MONEY
FAST chain letters).
>>I am running finfo_file()
to determine the mime-types of the files being uploaded, so it should
easy to exclude certain types of files based on this, or the file's
extension.

Not nearly enough. MIME types and file names can be arbitrarly set to
misrepresent the contents.
While I may agree with you, my client wants an upload so that is what
she gets. I may have to send the mails via SMTP so they run through a
Brightmail service and then Spam Assassin instead of going directly to
her mailbox. I was just hoping for something a bit simpler.
Jan 31 '07 #3

P: n/a
>While I may agree with you, my client wants an upload so that is what
>she gets. I may have to send the mails via SMTP so they run through a
Brightmail service and then Spam Assassin instead of going directly to
her mailbox. I was just hoping for something a bit simpler.
That might make your client secure, at the expense of racking up
counts of spam sent apparently by your web site to Brightmail. That
could cause trouble (blocking) down the road.

You could install several major antivirus programs and spam filter
on your web site, and run all the attachments through all of those.
I'm not sure that's simpler.
Feb 1 '07 #4

This discussion thread is closed

Replies have been disabled for this discussion.