> any malicious programmer could exploit it in their own web pages You mean that a malicious programmer could be hired by someone to code web pages for them and then take advantage of the person hiring them. Am I understanding?
If that's the case, then I still think that burden should be on the person hiring the programmer...get someone you trust...if you don't trust them, don't hire them. I could exploit my customers in many malicious ways without exploiting security weaknesses. I don't because it's wrong. But, like I said in another post...I'm sure I don't understand all the security issues surrounding the decision, so I won't pass final judgment on the W3C without better understanding... Rick -----Original Message----- From: Dave Watts [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 24, 2006 5:52 PM To: CF-Talk Subject: RE: Any reason why a file field can be submitted back to the page it's on? > Yep...looks like you're absolutely right...resubmission > deletes the value from the field...bummer...I undestand the > security risk, but this is a secured area, I'm the only > programmer, so the risk is practically non-existent. > > Seems to me the choice to take the risk should be mine... If you're saying that, you don't understand the security risk. For this to be possible, browsers would have to allow it, which means that any malicious programmer could exploit it in their own web pages. What you're really asking for is, for every user to take a risk visiting every other web page because you, Rick, are trustworthy. > Is there some way to store the string variable in the file > field and reinsert it into the file field upon re-submission? > It's a real pain to have to re-load 5 file fields because > there was an error in the form values... You could place the file upload fields in a second form that is only displayed after you've received the values from the first form. Or, you could require JavaScript and use that for form validation. There are plenty of usable solutions to solve your problem without you writing your own web browser. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:241407 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
