Matt Robertson wrote: > > If I'm understanding you right and you're only doing extension checks > it just seems that you're not using an important feature of cffile. > Using both features would be ideal but on a given day with a typical > user I'd say cffile accept= was a lot more powerful piece of > protection.
According to macromedia documentation, the browser uses the file extension to determine the mime type. What are you trying to protect against? The only difference I see is that I specify "jpg,jpe,jpeg,jpeg", while you would specify "image/jpeg,image/pjpeg" The other difference I see is that if I were only checking mime types, I could easily upload a .cfm by making my computer think .cfm was image/jpeg. If I were only checking extensions, then I could NEVER upload a .cfm file. That seems more secure to me. - Rick ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Special thanks to the CF Community Suite Silver Sponsor - RUWebby http://www.ruwebby.com Message: http://www.houseoffusion.com/lists.cfm/link=i:4:187311 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
