The first thing to do is to make sure that the upload is going to a folder outside of the wwwroot that has execution privileges off.
Then parse the file using CFFILE and save it to a (scoped) variable, and use IsXML() to make sure that the file is XML.
If the XML file will always have the same format/layout, then you can use XmlSearch(xmlVar,/path/to/your/info) to create an array of the data. You can then use XmlParse() to get the values.
^ _ ^
Thank you very much for the reply.
I will get right to work looking into this option.
This will alway be the same structure with varying data. Im used to using cfhttp to hit a feed that returns XML, but really haven't worked with items posting to a page. I would like to first see what is being posted. Is there some kind of way that I can simply do a dump of the xml being send so I can add it to a table? It's just for testing purposes.
What would be great is if there was a universal #xml.output# variable that CF would know just to grab and insert.
Any feedback would be greatly appreciated!!!
For testing purposes, you can always CFDUMP it after you have used XmlParse() on it.
For example, once the file has been uploaded, use CFFILE to 'read' the XML into a variable, use XmlParse() on the variable to set another variable, then CFDUMP that.
<cffile action="read" file="/path/to/uploaded/file.xml" variable="variables.thisXML" /> <cfset variables.parsedXML = XmlParse(variables.thisXML) /> <cfdump var="#variables.parsedXML#" label="XML" expand="yes" />
^ _ ^
Is there any way to simply ready the post instead of saving the file? I would like to insert into a database instead of saving a file.
By POST I assume you mean the body content of the POSTed request is the raw XML:
<cfset variables.xmlText = getHTTPRequestData().content />
Now variables.xmlText is the xml string. To dump it as an xml document you need to parse it into an xml document first:
<cfset variables.xmlText = parseXML(variables.xmlText) />
<cfdump var="#variables.xml#" />
There is a way to do that, I've done it. Sadly that was many, many years ago, and I am not recalling how I did it. I don't have access to those .cfm files to see, anymore. But I remember setting it up so that if a user uploaded a file, that file was saved to a variable (as opposed to saving it to a folder) then directly inserted into a database BLOB.
Of course, this was for an intranet, not a public-facing website. I didn't have to consider that some malicious actor would try to upload a virus. If this is for a public-facing website, you'll want to save it to a folder that has execute permissions removed and allow a virus-checker to scan it before you do anything with it.
^ _ ^
Thanks Steve, I will certainly try that...
Appreciate the feedback!!!!
There are usually 2 ways to post XML to a CFM page:
<form method="post" enctype="multipart/form-data">
<input name="FileContents" type="file">
2) as a string, for example,
<input name="xmlContent" type="text">
If the poster used the first method, then the uploaded file would be saved to disk, and you could proceed as WolfShade suggests. If the poster used the second method, then the XML file would be available on your CFM page as the variable form.xmlContent .