Is the problem specific to the CFFILE tag , or is it the
concept of accepting files over the internet?
There can be many reason for a company (gov) to not want to
have the ability to upload files, but to want it, and then to say
not to use CFFILE is kind of contradictory.
Is it because the Server Administrator has locked down the
directories to not accept uploaded files? (or the server is not
made for that ability). If that is the case then any technology
won't help you, the server would have to be opened up.
Is there a 'flaw' in the CFFILE tag that the government is
trying to avoid? Does your client have a 'bad experience' with an
non secured file upload script that makes them shy away from file
uploads.
There are as many ways to upload a file from a client machine
to a server machine as there are languages viable for the web. But
they all have the same common security failings.
1. You have to have a server that will allow file uploads
2. You have to save the file on the server before you can
move, scan, read, rename, etc.
There are many more 'failings in common', but these are the
most prominent in my mind right now. The good thing is that they
are failngs in 'common' so everyone has to deal with them, AND you
just have to build a secure system that matches the clients
security risk allowance.
Hope this helps