This is a short one. I just discovered today, that if you have a dynamic file name from a file that a user has uploaded, you should not include it in ExpandPath.

Take for example, the following variables (the first one being retrieved from a query):

<cfset filename = qRecord.FileName>
<cfset folder = "/files/">

Historically, I have retrieved the full path of the file using code similar to this:

<cfset filepath = ExpandPath("#folder##filename#")>

It turns out, however, that this code is better:

<cfset filepath = "#ExpandPath(folder)##filename#">

The reason for this is that the file name could be anything. In my case, I ran into a filename that included the characters "..", causing ExpandPath() to get the wrong folder for the first example (but not the second).

Just thought I would share this to save others the same trouble.