On Fri, 17 Dec 2004 11:12:58 -0800 (PST), Joe Smith <[EMAIL PROTECTED]> wrote: > Howard, > > yes, I am using item.getName(), so when I do the upload, I should create the > file without the path, just the file name only, and it will append that file > as HTTP request? Like you said, I shoudl use test.java, instead of > C:\test.java, or C:/test.java? Is that the point here? please advise more. > thanks >
You definitely should never be trying to store a file on the server using a path provided by the client. That is a recipe for disaster. Just imagine the consequences of a user uploading a critical system file that would then be clobbered on the server. If you need to preserve the original name of the file itself, you should strip the path off the front of the file name first. (Note that not all browsers provide the path - some only provide the base file name in the first place, which is much more sane and secure.) However, I would recommend that you not try to use the name of the file in the server file system, and just keep that information around as metadata if you need it. -- Martin Cooper > Howard Lin <[EMAIL PROTECTED]> wrote: > I guess probably you are using the file name from item.getName() to > create a File and pass it to write. The file name may contains client > machine path. For example, you will get c:/test.java instead of > test.java if the user type c:/test.java. So what I do is always strip > path from the file name. Hope this helps. > > Howard > > On Wed, 15 Dec 2004 18:25:44 -0800 (PST), Joe Smith wrote: > > > > I am using common file upload API in the java program, and it is able to > > upload any files except the user tries to enter the backslash, or double > > slashes (//) in the browse file text box, not using browse button. For > > example, C:/test.java will produces the following error. But if I do > > C:\test.java, then it's perfect > > > > A file or directory in the path name does not exist.) at > > java.io.FileOutputStream.open(Native Method) at > > java.io.FileOutputStream.(FileOutputStream.java(Compiled Code)) at > > java.io.FileOutputStream.(FileOutputStream.java(Inlined Compiled Code)) at > > org.apache.commons.fileupload.DefaultFileItem.write(DefaultFileItem.java(Compiled > > Code)) > > > > so the only workaround is to implement javascript myself? Maybe common file > > upload doesn't take care of those cases. > > > > please advise. thanks > > > > > > --------------------------------- > > Do you Yahoo!? > > The all-new My Yahoo! Ãâ" What will yours do? > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > --------------------------------- > Do you Yahoo!? > Meet the all-new My Yahoo! â Try it today! > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
