验证文件类型扩展名

如果您试图阻止用户上传危险内容，仅阻止他们上传exe文件是不够的.这是黑名单方法.更好的是问自己支持哪些有效的文件类型，并阻止所有其他文件.这是白名单.

If you are trying to prevent users uploading dangerous content, preventing them to upload exe files isn't enough. This is a black list approach. Much better is to ask yourself what are the valid file types you do support and block all others. This is a white list.

要允许某些文件类型，您可以检查扩展名，但也可以验证文件头(文件中的前两个字节)，以检测它是否实际上是您期望的类型.您将必须为每种文件类型弄清楚可能的标题是什么.

To allow certain file types you can check for the extension, but perhaps also validate the file header (the first couple of bytes from a file) to detect whether it is actually of the type you expect. You will have to figure out for each file type what the possible headers are.

祝你好运.