But isn't the CFFILE ACCEPT parameter a more sound way to govern file acceptability than a simple extension check? Sure on any given day anything can be spoofed, but someone with a much higher knowledge level would have to be making the attempt.
I've seen literally dozens of attempts to send up bad file types, followed by manipulation of the extension (I set up the uploader to email me when such things happen, with details). These aren't malicious users, but dopey, headstrong ones who want to get their way or think the program is broken and they have this magic way to fix it (instead they got a supervisory reprimand in their employee jackets). They were typical cms users: staffers with just barely enough knowledge to be dangerous, but no more. If I'm understanding you right and you're only doing extension checks it just seems that you're not using an important feature of cffile. Using both features would be ideal but on a given day with a typical user I'd say cffile accept= was a lot more powerful piece of protection. -- --Matt Robertson-- President, Janitor MSB Designs, Inc. mysecretbase.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Special thanks to the CF Community Suite Gold Sponsor - CFHosting.net http://www.cfhosting.net Message: http://www.houseoffusion.com/lists.cfm/link=i:4:187276 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
