ColdFusion's CFFILE tag lets you upload files from a web-based form.  However, allowing users to upload files to a web server without adding constraints isn't such a good idea. 

The code below will impose a file size constraint of your choice, will only accept certain file types and will show a 'friendly' error message via try/catch error handling.  Note that the file type constraint uses CFFILE's ACCEPT parameter, which tests the actual MIME type of the file, rather than doing a simple check of the file extension.

While this method isn't foolproof (your browser will have to actually upload the file to the server before any of these checks can take place) it represents the best case when using CFFILE.

<cfif isdefined ("url.Action")>
   <!---
   Test the file size
   --->

   <cfif val(cgi.content_length) gt 1024000>
      <!---
      the file size is over the limit of 1mb.  Refuse to upload it
      --->

      <cfset variables.Success="Too Big!  No dice.">
   <cfelse>
      <!---
      the file is within the limit specified.  Define the accepted
      MIME types. this example accepts plain text files and zip
      files.
      --->

<cfset request.AcceptImage=
"image/gif,image/jpg,image/jpeg,image/pjpeg,image/x-png">

      <!---
      now try to upload the file
      --->

      <cftry>
      <cffile
         action="Upload"
         filefield="FileContents"
         destination="c:\cfusionmx\wwwroot\"
         nameconflict="OVERWRITE"
         accept="#request.AcceptImage#">
      <cfset variables.Success="Uploaded.">
      <cfcatch type="Application">

         <!---
         something went wrong.  Was it a mime type failure?
         --->

       <cfif isdefined("cfcatch.MimeType")>
             <!---
             yes it was.  show the friendly error message.
            --->

            <cfif not ListContains
            (request.AcceptImage,cfcatch.MimeType)>
                <h1>Fool!</h1>
                This type of file is not allowed for upload.<br>
                All that user training really paid off.</p>
                <p>Try again...</p>
            <cfelse>

                <!---
                Hmmm.  the mimetype is there but the file was on the  
                list. Better dump out the whole error message.
                --->
     
                <cfoutput>
                <b>Error</b><br>
                #cfcatch.Message#
                #cfcatch.Detail#
                </cfoutput>
            </cfif>
         <cfelse>
             <!---
             Hmmm.  No mimetype error in the catch scope.
             Better dump out the whole error message.
             --->
 
             <cfoutput>
             <b>Error</b><br>
             #cfcatch.Message#
             #cfcatch.Detail#
             </cfoutput>
         </cfif>
<cfabort>
      </cfcatch>
<cfcatch type="Any">
      <cfoutput>
      <b>Error</b><br>
       #cfcatch.Message#
      #cfcatch.Detail#
      </cfoutput>
       <cfabort>
</cfcatch>
      </cftry>
   </cfif>
</cfif>

<!---
Display the form
--->

<html><head><title>Uploader Test</title></head><body>
<cfif isdefined ("url.Action")>
   <cfoutput>
   Your file was #variables.Success#
   </cfoutput>
</cfif>
<cfoutput>
<form
   action="#cgi.script_name#?Action=Y"
   method="post"
   enctype="multipart/form-data">
</cfoutput>
Source File Name:<BR>
<input
   name="FileContents"
   type="FILE"
   size="45"><br>
<input
   type="submit"
   value="Upload File">
</form>
</body></html>
About This Tutorial
Author: Matt Robertson
Skill Level: Beginner 
 
 
 
Platforms Tested: CFMX
Total Views: 127,996
Submission Date: June 17, 2004
Last Update Date: June 05, 2009
All Tutorials By This Autor: 3
Discuss This Tutorial
  • But there is one huge problem still with CF and file uploading. That is when the browser presents the wrong file MIME type to the cold fusion code. People upload a legitimate file type (say an mp3 file), but their browser is sending it with a MIME type of something weird Then Cold fusion rejects it as perhaps filetype (unknown/unknown) the whole thing seems to be at the mercy of the browser settings and it is maddening that in all this time CF doesn't have an easy fix to properly ascertain what the REAL mime-type is does anyone know a fix for sniffing the real genuine MIME type please?

  • I didn't read Snack's note quite carefully. I took the template and loaded it as described above, changed the acceptance list to read only "text/plain" and then tried to upload a GIF file. I got the expected error message. The code works fine.

  • The first cfcatch condition in the application type is supposed to take care of Snack's discussed issue. If an application type error is thrown and the variable cfcatch.MIMEType exists, then this is the red flag for a MIME type error and the friendly routine runs. I copied the code right out of this tutorial, pasted it into my copy of HomeSite, saved it on my intranet, ran it on a text file and got the proper message. Sorry but you goofed somewhere.

  • The code works for me until I upload a file type not allowed then I get a server error not the friendly error in the code above. CFMX7 server. I wish to allow TXT only, a GIF file returns the following error: "Error processing CFFILE tag The MIME type of the uploaded file (image/gif) was not accepted by the server. Please verify that you are uploading a file of the appropriate type."

  • Dear Mr. Robertson, Thank you very much for your code. I used the mime type validation in a application that I built that will remotely host images for use on ebay auctions. I used the code to of course validate incoming images that users might be uploading. Thank you, Joe Lipinski

Advertisement


Website Designed and Developed by Pablo Varando.