daniel kessler wrote: > I have a database of contracts. I want the people entering the information > to be able to upload files to the website and the name of the file to the > database. I have that, but I'm caught on the "accept" attribute. > I want them to be able to upload most text oriented types of files (txt, > rtf,ppt,word, etc.) but since these are linked for download, I'd like that > they not be able to upload anything that might hurt the end-user on download, > so at the very least, no executables. Sure I can check the links but until I > do, several downloads may occur. > > So, how would I structure an "accept" so that it does this? Also, which > other types of files should I exclude? If it's an include-only list then I > don't have to exclude but I don't know which file types to enter ahead of > time because I may know a few of the file types ahead of time, but probably > not all of them. So I'd rather exclude, I think.
CFFM doesn't use the ACCEPT attribute of cffile, since it gets the mime type from the browser. You could, in theory, configure your browser to think that the mime type of a .EXE file was "text/plain", and then using the ACCEPT="text/plain" would allow that malicious user to upload an EXE file. I haven't tested that though. Instead, CFFM allows the file upload to procede, then checks the file extension against a list of acceptible or unacceptible extensions. If it doesn't like the file extension, it deletes the file immediately. Rick ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:217818 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
