Stopping invalid file type or file name submissions in coldfusion_问答_开发者

Stopping invalid file type or file name submissions in coldfusion

开发者 https://www.devze.com 2023-02-22 09:15 出处：网络

So, I\'m having this lovely issue where people like to submit invalid file types or funky named files... (like.. hey_i_like_\"quotes\".docx) Sometimes they will even try to upload a .html link...

So, I'm having this lovely issue where people like to submit invalid file types or funky named files... (like.. hey_i_like_"quotes".docx) Sometimes they will even try to upload a .html link...

How should 开发者_JAVA百科I check for something like this? It seems to create an error every time someone submits a poorly named item.

Should I create a cfscript that checks it before submission? Or is there an easier way?

If it was before submission it would be javascript not cfscript. Javascript can always be got round, so I'd say you'd be better doing it server-side with ColdFusion. Personally I'd just wrap the whole thing in a try/catch (you should do this anyway as a matter of course with all file upload type things), and throw an error back at them if their filename is no good.

When you say submit are you using cffile to allow your users to upload file.

If so, use the attribute "accept" with a try and catch around. for example....

<cftry> 
<cffile action = "upload"  
            fileField = "FileContents"  
            destination = "c:\files\upload\"  
            accept="image/jpg, application/msword"
            > 
 <cfcatch type="Any" >
    <p>sorry we could not upload your file!</p>
 </cfcatch>

</cftry>

I personally would not use "just" JavaScript as this could be disabled and you are back in the same boat.

Hope this helps.

On the server, as part of validation, use reFindNoCase() along with an appropriate regex to check for a properly formatted file path. You can find lots of example regex expressions for a file path on the internet, such at this one. Hope that helps.

As @Duncan pointed out, a client-side validation would most likely be in JavaScript. Personally, if I had time/resources, I would do this as a convenience for the end user. If they upload an enormous PDF when a DOCX is required by the system, it would be annoying for them not to receive a message until the upload is complete.

As far as filenames go, it seems to me that the simplest solution (and one I've used in the past) is to assume all filenames are bad, and rename them. There are several ways to do this. If you need to preserve the original filename, I would just use urlEncodedFormat() ot clean the filename into something that is web-friendly. If you need to preserve all versions, you can append a date/time stamp, so bob.xocx becomes bob_201104051129.docx or somesuch. If you must keep the original filename without any changes, I would recommend seting up a DB table as a pinter system, keeping the original name, timestamp, and other metadata there and referring to the file by renaming it to the ID.

But urlEncodedFormat() is probably enough for what you've outlined.

For user experience it's best to do it client-side but it's not bad at all to double check server side too.

For the client side part, I recommend using the jQuery validation plugin, easy to use.