Hi Matt, I thought that both PHP and CFM looked at the file headers to evaluate the mime type?
If that is the case, then you can compare the extension of the uploaded file with its mime type to check that they are an appropriate match. Would be interested to know if CFM does not use the file headers to get the mime type. If not, then perhaps PHP is safer for file upload processing ? Cheers, Martyn -----Original Message----- From: Matt Robertson [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 25, 2006 1:33 PM To: CF-Talk Subject: Re: Mime Type for File Upload Bear in mind that cffile simply matches the mime type to its allowed extension... so if someone wants to upload an .exe file all they have to do is give it a .pdf extension. Plan your security for that as best you can. For example don't allow file renaming! -- [EMAIL PROTECTED] Janitor, MSB Web Systems mysecretbase.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:257941 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4