How to restrict file types in cffile upload

[leadman]

I'm thinking of letting users upload a picture in gif or jpg format but i'm concerned about security and filesize. I dont want to allow anything but jpg or gif files to be uploaded. Should i try to do this on the processing page (inside a cfif that tests for the last 3 being jpg or gif?) or is there a way to do it sooner? And how can I block files above a certain size, say 20k?

Also, I read in Forta that you should be careful when allowing uploads - that the directory the files are going to should be secure from outside view. How do i do this? It also says the templates used to perform file operations must be protected from unauthorized access. Again, doesnt say how to do this.

 

[sshhz]

First of all, if you wish to upload some files to the server, you can consider two tag to use either cffile upload or cfftp.

cffile has more advantage and could be dangerous to use as this is a restricted tag in cf server. while cfftp is used when you have some environments like different user login are catered for different folders or website to upload the files, more like a web hosting company that host those website to customers.

Anyway, if you are using cffile to upload, you need to upload the entire file to the server to determine the file size and the file type. Alternative way to validate the file type using javascript lang, where the checking on the file type sounded more reasonable first instead of the file size. No point if you upload a bigger file and validated it wasn't in the correct type and wasn't in correct size. So, you can combine javascript to check on the file type then use custom tag to validate the file size of your image which looked more organize.

Good Luck

sshhz