If I have understood correctly, you simply dont want the user to have to select and upload the file again?
Heres what I do in this situation: The file gets uploaded anyway. Give it a unique name e.g. use a UUID, and put it in a temp dir. Store the name of the temp file in a hidden form variable. Display the user friendly name of the file (the one from the form field) above the file field. So you have in the form: Your current file: something.jpg Upload new file: [ ][Browse...] This means the user does not have to select / upload again, just because there is a server side validation problem with another field. When the user completes the form correctly, you have the name of the file in the temp dir from the hidden form field. You can do whatever you need from there. Rick Faircloth wrote: > So, to enable the kind of functionality I'm proposing would mean > to provide complete open access to all files on a site visitor's system? > > If that's the case, then I understand why the W3C wrote it out of the > specs. > > However, since Javascript and Active X have been suggested as > alternatives to accomplish my programming goals, how can Javascript > or Active X accomplish this without creating the vulnerability? > (Although I haven't used it in programming, I know Active X has a > reputation for creating vulnerabilities, and I guess Javascript, too) > > Rick > > -----Original Message----- > From: Jochem van Dieten [mailto:[EMAIL PROTECTED] > Sent: Thursday, May 25, 2006 5:01 AM > To: CF-Talk > Subject: Re: Any reason why a file field can be submitted back to the > page it's on? > > > Rick Faircloth wrote: > >>> any malicious programmer could exploit it in their own web pages >>> >> You mean that a malicious programmer could be hired by someone >> to code web pages for them and then take advantage of the person >> hiring them. Am I understanding? >> > > No. > > > >> But, like I said in another post...I'm sure I don't understand all the >> security issues surrounding the decision, so I won't pass final judgment >> on the W3C without better understanding... >> > > Let's say I rip out this security from Firefox and compile a > Firefox version specially for you. You start using it. Everybody > starts using it. You visit one of my websites and through some > slick, hidden HTML I decide that you should upload your Filezilla > profile to my website. Your browser, without this security, > uploads the asked file to me. I now have a copy of all your FTP > passwords. > > Jochem > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:241432 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
