Copy link to clipboard
Copied
Hi,
Sorry if this is a dumb question, I'm new to this.
I have a form where i want the user to be able to upload an image from a form. for the cffile i'm using
<cfif len(trim(form.ImageData))>
<cffile action="upload"
fileField="ImageData"
destination="\uploads"
nameConflict = "MakeUnique">
</cfif>
it works locally when i input the specific directory on my hard drive but when i use the above online i get an access denied error and it looks like it's trying to save it locally on c:\uploads
on my ftp i created an upload folder but I don't know what the 'destination' field typically looks like when you are trying to use cffile on a live site. What information do i need from my web host to make this work? Like, does it involve an ip address? I'm thinking some kind of username and password will be required. does cffile have username password field too? Basically, what shoudl cffile look like when you're using it ion a live site
Thanks,
MIke
Here.. let's make this foolproof. In your sites root folder, open the application.cfc, find the onRequestStart section and add the following:
<cfset rootPath = "#REreplaceNoCase(ExpandPath('./'),'(.+[\\|\/]mymindsnotright.com\www)(.)+','\1','all')#" />
This line will create a variable called rootPath, and no matter where in the folder structure the user goes, rootPath will always point to the root of the site.
Then, depending upon where in your site the uploads folder is, you append that flow to t
...Copy link to clipboard
Copied
Any progress on this? Has GoDaddy fixed this, yet?
V/r,
^ _ ^
Copy link to clipboard
Copied
I just spoke with technical support and they gave permisison to write to that folder so it works now! Thank you sooo much for all your help. I really, really appreciate it. This has been bumming me out for the last few days thinking that this wouldn't work as it was a pretty important part of my website but It works now. Thanks again.
Copy link to clipboard
Copied
Great to hear. Please do pick some one of the answers as the "answer" so as to help future readers to understand what helped you (and would help others) to solve this.
null
Copy link to clipboard
Copied
Just to follow up on this a little bit: it looks like your uploads folder is web-accessible. This is potentially dangerous, as anyone who uploads a file can then execute that file if it's executable. So, be careful!
Dave Watts, Fig Leaf Software
Copy link to clipboard
Copied
I see that Charlie already mentioned this, now that I read the whole thread.
Dave Watts, Fig Leaf Software
Copy link to clipboard
Copied
https://forums.adobe.com/people/Dave+Watts wrote
Just to follow up on this a little bit: it looks like your uploads folder is web-accessible. This is potentially dangerous, as anyone who uploads a file can then execute that file if it's executable. So, be careful!
Dave Watts, Fig Leaf Software
It should be okay if the /uploads folder properties is set to not allow executables.
V/r,
^ _ ^
Copy link to clipboard
Copied
Maybe, but what we think of as executables nowadays is broader than what servers do. Server-side scripts like CF, client-side stuff like JavaScript and CSS, document macros - that's all executable. If the form allows you to upload any of that stuff, bad things can happen. Obviously really bad things can happen with server-side scripts, but the other stuff can cause you problems of various sorts as well even though they can't explicitly execute on your server.
And if there's one thing that I've learned over twenty years of dealing with web security, it's that there are smarter people than me compromising web security. So, it's important for me at least to rely on things like defense in depth, because I can't predict all of the things that could go wrong. For example, not too long ago on these very forums, someone asked how to destroy and recreate session cookies when a user logs out of a site, as requested by his CSO. Someone else said, why bother? And that was my initial reaction as well. But it turns out, someone smarter than me figured out how to do something bad in that situation, which was why the recommendation to destroy session cookies at logout is a thing that exists now. I don't remember the specifics, but it's worth reading about.
This is not intended as a criticism of you or your response, WolfShade - it is entirely possible to adequately secure a public web folder that allows uploads. But it's harder, and it's not trivial, and problems with doing this can happen to any of us developing and deploying web content on untrusted networks.
Dave Watts, Fig Leaf Software
Copy link to clipboard
Copied
Aha. You wrote your replies (confirming that it still did not work) as I was writing and posting this. But yours showed up before mine, so I am tweaking this (after posting it) so it makes sense as you or others come across it.
So you said earlier that you're running this code on a hosted server. I suspect the problem is that CF is setup (on the host) to run as a user (the user running the CF service) which DOES NOT HAVE PERMISSION TO WRITE TO THE DIRECTORY you want to write to.
If you think about it, it’s not unusual for a host to want to limit what can be written to a folder that would then be accessible via the web (as you show in your desired url of http:///www.mysite.com/uploads). There are good security reasons to not want to allow that. Or to require that some precautions be taken (such as scanning the file for viruses, etc.) before letting such a file be accessible.
And here is where often the desires of a hosting company clash with the desires of their clients. YOU may want to be able to allow uploads of files to a web-accessible directory, but THEY may not. And in that case, you’re in a pickle.
But CF has a solution for that: you can use the CFFILE action=”upload” to save the file somewhere that they tell you they ARE OK to write to, and then you could serve that to users using a tag like CFCONTENT, which can serve up a file as content back to the user. But since you are new to CF, I won’t elaborate on this here. There are lots of potential pitfalls and challenges in using CFCONTENT (to solve various desires for its use).
So first, do you really need to write to that web-accessible folder, after all? If not, the web host may be willing to set some other non-web-accessible folder that they'd be willing to let CF write to.
If you were in control of the server, you could also perhaps change the folder (you want to write to) so that it had permission to be written to by CF (by the CF page doing the file upload to that directory). But again you don't, and the host may not be willing to do that.
In either case, again, you need to consider taking precautions about what you are letting people upload and then "download". (Some also want to let person A upload a file that only person A can see. That also is something that can be better managed/controlled via code using CFCONTENT to serve up the file.)
So just beware: what you want to do is something to be cautious about, even if you can get it working.
Copy link to clipboard
Copied
yeah i still get access denied. if i call my web host, what should I ask them? if there is a directory that can be written to I can use? it is sounding like i'm out of luck in this case.
Copy link to clipboard
Copied
Wycks, are you asking Wolf in reply to his note? or have you read mine? I tried to clarify what is likely the problem, and what your options seem to be.
Copy link to clipboard
Copied
i just read yours I'm going to call and ask them if there is a folder that they allow me to write to
thanks both of you
Copy link to clipboard
Copied
actually that's because there is no onrequeststart section
Copy link to clipboard
Copied
Did you place that at the bottom of the application.cfc, or between the opening and closing tags for onRequestStart?
Copy link to clipboard
Copied
this is my whole application.cfc file
<cfcomponent>
<cfscript>
this.name = "MyMindsNotRight";
this.sessionmanagement = true;
</cfscript>
</cfcomponent>
<cffunction name="onRequestStart">
<cfset rootPath = "#REreplaceNoCase(ExpandPath('./'),'(.+[\\|\/]mymindsnotright.com\www)(.)+','\1','all')#" />
</cffunction>
i'm really sorry I'm very new at all this
Copy link to clipboard
Copied
Are you using application.cfc, or application.cfm?
Remove that line from the application.cfc/cfm, place it at the top of the action page for the file upload. It just won't be available to your whole site.