Thanks for the advice, Mosh! Rick
-----Original Message----- From: Mosh Teitelbaum [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 25, 2006 9:44 AM To: CF-Talk Subject: RE: Mime Type for File Upload Rick Faircloth wrote: > Need to specify the CFFILE "Accept" attributes for .doc and .pdf. > > What would those be? > > I know Accept = "application/msword" would accept > Word docs, but would they be limited .doc filetype? > > And what about .pdf. application or text or ??? > > I want to limit uploads to .doc and .pdf only. Rick: The two Mime-Types you're after are application/msword and application/pdf. You would use these like: <CFFILE ACTION="Upload" ACCEPT="application/msword,application/pdf" .... > ColdFusion does, in fact, use the HTTP headers to determine the Mime-Type of the uploaded file. The browser automatically determines the Mime-Type and includes that as an HTTP header. How the browser determines it is browser and OS dependant. Most browsers and OSs simply use the file's extension to determine the file type. Because of the trusting nature of HTTP, if someone wants to fool your system, they're almost certainly going to be able to. The user can change the file extension, manually construct the HTTP header to specify an incorrect Mime-Type, etc. The only fool-proof way for you to guarantee that you're getting what you expect is to have some sort of server-side application that can check the CONTENTS of the uploaded file to ensure it is what you think it is (ex. unzip utilities can often run a verification operation on a file to validate that it is a ZIP file). Checking the filename and/or extension is not the least bit fool-proof. The other extra precaution you can take, especially if you allow people to upload files directly into a web-accessible path, is to run a virus scan on the file as soon as it's uploaded. Most modern AV solutions can scan multiple file types (exe, com, doc, xls, zip, rar, etc.) for viruses. Even JPG files can contain malware. HTH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:258008 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
