Results 1 to 2 of 2

Thread: working with uploaded images

  1. #1
    md_sumner Guest

    Default working with uploaded images

    I am working on a site for an HOA, they want the residents to upload pet pictures. I have the image uploading to a folder outside the wwwroot folder - I was told this the more secure method. My UI is flex and I wanted to load the image but I am getting error 2044. The path to the image is in a DB table referencing the local file system. I need help / suggestion on getting this security issue resolved or after the image is uploaded and resized and always renamed and with an extension of .jpg do I move it inside the wwwroot?

    This is my first shared hosting site.

    We self host our work sites and I get full access there.


  2. #2

    Default ColdFusion - best practices for uploading files

    The best practices for uploading files including images come with their caveats, but these can be handled in a practical way that insures a high level of security, speed and flexibility.

    Best Practice(s) and Solutions:

    1. Files should be uploaded out side of the web root for security (wwwroot in most cases).

    By storing the files inside the web root they can be executed and possibly expose your application to attack. File validation should be performed first within the cffile tag using the attribute: accept="image/gif,image/jpeg"

    Secondly, and highly recommended use the function (vaild in ColdFusion 8 and above): IsImageFile("path")

    If the file does not pass BOTH types of validation it should be DELETED, and error handled appropriately.

    2. Resizing and saving the image should be done once not per-visit.

    Resizing images is a resource intense and can lead to slowly loading webpages. The best solution is to resize once on upload, after validation and saved. In the case where multiple standard sizes
    of the same image is needed then appending the size to the file name is an easy way to stay
    organized while maximizing the speed of your web page.

    To do this use the reReplace in this way:

    <!--- Set the variable modifying the extension and adding _resized.jpg --->
    	<cfset rfile= "#REReplace("#img#",".(jpg|JPG|JPEG|jpeg)","_resized.jpg")#">
    <!--- Resizes image if it has not been done already --->
        <cfset myImage=ImageNew(URLDecode("d:\home\\secure_upload\" & "#imgpath#" & "#img#"))>
        	<cfset ImageResize(myImage,"175","175","highestPerformance")>
    <!--- Saves image, and to eliminate problems with url friendly encoding when getting our images re-replace %20 with no-space --->
        <cfimage source="#myImage#" action="write" overwrite=true destination="d:\home\\image_safe\#imgpath##REReplace("#rfile#","%20"," ","ALL")#">
    The code above was taken from optimize image rendering in three steps.

    3a. Serving images after upload (RECOMMENDED, HIGH PERFORMANCE)

    If files have been validated and bad files deleted, utilize CFFile to move the file into the wwwroot directory.

    For example, the best practice for serving multiple sizes of the same image would be to use cfimage and save the multiple sizes to a specific image directory after validating the file, then delete the original. Use the re-sized images on static pages, cached pages and achieve the best performance possible.

    <!--- After validating file --->
    <cfimage source="d:\home\\secure_upload\#img#" action="resize" width="100" height="100"
    <cffile action="Delete"  
    3b. Serving images from outside the web root (NOT RECOMMENDED, REDUCED PERFORMANCE)

    Files and images can be served outside of the web root by using the cfcontent tag. In this simple
    example provided by the ColdFusion 8 Docs, the image myImage_resized.jpg will be served from the
    secure folder where the image was uploaded, validated and resized.

    <cfcontent type = "image/jpeg" 
        file = "d:\home\\secure_upload\myImage_resized.jpg" 
        deleteFile = "no">

    Finally handling uploads done carefully ensures security and rapid application response.

    A fully functional example script included below: Includes a form with name and email, validation, file size limit, resizing and copying the file to a public folder. This script was an adapted version of this script by Ben Nadel for limiting the file upload size.

    We recommend these two articles for more reading on this subject:
    Last edited by JonC; August 15th, 2011 at 11:17 AM. Reason: Added upload script.
    Jon Cavanaugh
    ColdFusion Systems Analysts
    Director of Business Development
    Linux Hosting | Christian Hosting | Railo Hosting

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts