ok well in the case that anyone does have code which works in this way but does not have a non web accessible folder to upload to because their host does not give you this, then the other option would be to create an UPLOADS folder and secure this folder with .htaccess or whatever method your host provides so that files in this folder cannot be executed. you then move the file from this folder after upload and validation.
On Sun, Jun 16, 2013 at 4:36 PM, Raymond Camden <[email protected]>wrote: > > Was just sharing it as an example. I was *convinced* this was secure since > it was an immediate check. I couldn't check it in cffile cuz I needed to > support multiple different extensions. > > > On Sun, Jun 16, 2013 at 10:34 AM, Russ Michaels <[email protected]> > wrote: > > > > > ok but that issue would only occur if you DO NOT check the file > extension > > before uploading it to the server, which is what you were doing, you were > > uploading it and then validating it afterwards. > > obviously I would not suggest anyone does that, you should definitely > check > > the file extension before you upload anything to the server and not > accept > > any type of file which can be executed. > > > > > > On Sun, Jun 16, 2013 at 4:21 PM, Raymond Camden <[email protected] > > >wrote: > > > > > > > > On Sun, Jun 16, 2013 at 9:45 AM, Russ Michaels <[email protected]> > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355949 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
