The Robertson Team


 

 
 
 
 
 
  Programmers' Tools >  The Free Stuff >  Free ColdFusion Tutorials >  How can I safely upload files?
 

How can I safely upload files?

ColdFusion's CFFILE tag lets you upload files from a web-based form.  However, allowing users to upload files to a web server without adding constraints isn't such a good idea. 

The code below will impose a file size constraint of your choice, will only accept certain file types and will show a 'friendly' error message via try/catch error handling.

While this method isn't foolproof (your browser will have to actually upload the file to the server before any of these checks can take place) it represents the best case when using CFFILE.

<cfif isdefined ("url.Action")>
   <!---
   Test the file size
   --->

   <cfif val(cgi.content_length) gt 1024000>
      <!---
      the file size is over the limit of 1mb.  Refuse to upload it
      --->

      <cfset variables.Success="Too Big!  No dice.">
   <cfelse>
      <!---
      the file is within the limit specified.  Define the accepted
      MIME types. this example accepts plain text files and zip
      files.
      --->

<cfset request.AcceptImage=
"image/gif,image/jpg,image/jpeg,image/pjpeg,image/x-png">

      <!---
      now try to upload the file
      --->

      <cftry>
      <cffile
         action="Upload"
         filefield="FileContents"
         destination="c:\cfusionmx\wwwroot\"
         nameconflict="OVERWRITE"
         accept="#request.AcceptImage#">
      <cfset variables.Success="Uploaded.">
      <cfcatch type="Application">

         <!---
         something went wrong.  Was it a mime type failure?
         --->

       <cfif isdefined("cfcatch.MimeType")>
             <!---
             yes it was.  show the friendly error message.
            --->

            <cfif not ListContains
            (request.AcceptImage,cfcatch.MimeType)>
                <h1>Fool!</h1>
                This type of file is not allowed for upload.<br>
                All that user training really paid off.</p>
                <p>Try again...</p>
            <cfelse>

                <!---
                Hmmm.  the mimetype is there but the file was on the  
                list. Better dump out the whole error message.
                --->
     
                <cfoutput>
                <b>Error</b><br>
                #cfcatch.Message#
                #cfcatch.Detail#
                </cfoutput>
            </cfif>
         <cfelse>
             <!---
             Hmmm.  No mimetype error in the catch scope.
             Better dump out the whole error message.
             --->
 
             <cfoutput>
             <b>Error</b><br>
             #cfcatch.Message#
             #cfcatch.Detail#
             </cfoutput>
         </cfif>
<cfabort>
      </cfcatch>
<cfcatch type="Any">
      <cfoutput>
      <b>Error</b><br>
       #cfcatch.Message#
      #cfcatch.Detail#
      </cfoutput>
       <cfabort>
</cfcatch>
      </cftry>
   </cfif>
</cfif>

<!---
Display the form
--->

<html><head><title>Uploader Test</title></head><body>
<cfif isdefined ("url.Action")>
   <cfoutput>
   Your file was #variables.Success#
   </cfoutput>
</cfif>
<cfoutput>
<form
   action="#cgi.script_name#?Action=Y"
   method="post"
   enctype="multipart/form-data">
</cfoutput>
Source File Name:<BR>
<input
   name="FileContents"
   type="FILE"
   size="45"><br>
<input
   type="submit"
   value="Upload File">
</form>
</body></html>

The Robertson Team, TheKing@mysecretbase.com
1.559.360.1717 


HostMySite.com is a leader in ColdFusion web hosting and managed dedicated servers.