Solved

Restrict Certain File Extention Uploads / Upload Size for ASP form

Posted on 2006-07-06
11
488 Views
Last Modified: 2010-08-05
I will start off by saying I am NOT a programmer. I have just enough luck to be able to find cool sites that offer code up for users to sample and modify it a bit to get what I am looking for. (I was actually trying to use CDONTS yesterday, just figured out I need to use CDOsys). The form is an upload form, will want the user to upload a .gif, .jpg, .jpeg, .ai, .psd, or .eps file. Below is the code I am currently using ( got it from http://www.asp101.com/articles/jacob/scriptupload.asp ). The code, uploads the file to the server, send the email with attachment, then deletes the file from the server. I just want to be able to only allow those specific extentions listed above to be uploaded. I have tried a few things but haven't gotten anything to work.

<%@ Language=VBScript %>
<%Option Explicit%>
<!-- #include file="upload.asp" -->
<%

'NOTE - YOU MUST HAVE VBSCRIPT v5.0 INSTALLED ON YOUR WEB SERVER
'         FOR THIS LIBRARY TO FUNCTION CORRECTLY. YOU CAN OBTAIN IT
'         FREE FROM MICROSOFT WHEN YOU INSTALL INTERNET EXPLORER 5.0
'         OR LATER.

Server.ScriptTimeOut = 300



' Create the FileUploader
Dim Uploader, File
Set Uploader = New FileUploader


' This starts the upload process
Uploader.Upload()

'******************************************
' Use [FileUploader object].Form to access
' additional form variables submitted with
' the file upload(s). (used below)
'******************************************

' Check if any files were uploaded
If Uploader.Files.Count = 0 Then
      Response.Write "File(s) not uploaded."
Else

' Loop through the uploaded files
For Each File In Uploader.Files.Items

' Save the file
File.SaveToDisk "C:\Inetpub\wwwroot\fileuploader\files"            

' Make variable with location of previously uploaded file
Dim attachment
attachment="C:\Inetpub\wwwroot\fileuploader\files\" & File.FileName
Next
End If

' Grab rest of form variables
Dim name, email, product, quantity, partner
name = Uploader.Form("name")
email = Uploader.Form("email")
product = Uploader.Form("product")
quantity = Uploader.Form("quantity")
partner = Uploader.Form("partner")

' validation
Dim validationOK
validationOK=true
If name="" Then validationOK=False
If email="" Then validationOK=False
If quantity="" Then validationOK=False
If (validationOK=false) Then Response.Write("Error - Please fill in all fields.")

'Declare variables
Dim sch, cdoConfig, cdoMessage
sch = "http://schemas.microsoft.com/cdo/configuration/"
 
    Set cdoConfig = CreateObject("CDO.Configuration")
 
    With cdoConfig.Fields
        'Set CDO Port
        .Item(sch & "sendusing") = 2
        'Set mailserver name either IP address, mail.yoursite.com or localhost
        .Item(sch & "smtpserver") = "127.0.0.1"
        'Set SMTP port which is 25 by default
        .Item(sch & "smtpserverport") = 25
        'Set number of seconds before timeout
        .Item(sch & "smtpconnectiontimeout") = 60
        .update
    End With
 
    Set cdoMessage = CreateObject("CDO.Message")
 
    With cdoMessage
        Set .Configuration = cdoConfig
        .From = name
        .To = "localhost@localhost.com"
        .Subject = "Customark Logo Submission Form " & "(" & partner & ")"
        .HTMLBody = "Submission From: " & partner & vbCrLf & "Name: " & name & vbCrLf
        .AddAttachment attachment
        .Send
    End With
 
    Set cdoMessage = Nothing
    Set cdoConfig = Nothing

Dim ScriptObject
Set ScriptObject = Server.CreateObject("Scripting.FileSystemObject")
ScriptObject.DeleteFile(attachment)


Response.Write("Success")



%>
0
Comment
Question by:JF0
  • 6
  • 5
11 Comments
 
LVL 13

Expert Comment

by:jmundsack
ID: 17052535
Edit your existing code with an If...End If block as follows:

Dim ext

For Each File In Uploader.Files.Items

    ext = Mid(File.FileName, InStrRev(File.FileName, ".") + 1)
    If CBool(InStr("gif,jpg,jpeg,ai,psd,eps", ext)) Then

        '  the rest of your code following the For Each statement goes here
        '  up to the Next statement

    End If

Next
0
 
LVL 16

Author Comment

by:JF0
ID: 17052742
I'm sorry, I do not understand. Could you insert it into my code for me so I can see where exactly to place it. I am really a beginner, get stumped on the easiest things.
0
 
LVL 13

Expert Comment

by:jmundsack
ID: 17052795
Ok, sorry:

<%@ Language=VBScript %>
<%Option Explicit%>
<!-- #include file="upload.asp" -->
<%

'NOTE - YOU MUST HAVE VBSCRIPT v5.0 INSTALLED ON YOUR WEB SERVER
'        FOR THIS LIBRARY TO FUNCTION CORRECTLY. YOU CAN OBTAIN IT
'        FREE FROM MICROSOFT WHEN YOU INSTALL INTERNET EXPLORER 5.0
'        OR LATER.

Server.ScriptTimeOut = 300

Dim ext

' Create the FileUploader
Dim Uploader, File
Set Uploader = New FileUploader


' This starts the upload process
Uploader.Upload()

'******************************************
' Use [FileUploader object].Form to access
' additional form variables submitted with
' the file upload(s). (used below)
'******************************************

' Check if any files were uploaded
If Uploader.Files.Count = 0 Then
     Response.Write "File(s) not uploaded."
Else

    ' Loop through the uploaded files
    For Each File In Uploader.Files.Items

        ext = Mid(File.FileName, InStrRev(File.FileName, ".") + 1)
        If CBool(InStr("gif,jpg,jpeg,ai,psd,eps", ext)) Then

            ' Save the file
            File.SaveToDisk "C:\Inetpub\wwwroot\fileuploader\files"          

            ' Make variable with location of previously uploaded file
            Dim attachment
            attachment="C:\Inetpub\wwwroot\fileuploader\files\" & File.FileName

        End If

    Next
End If

' Grab rest of form variables
Dim name, email, product, quantity, partner
name = Uploader.Form("name")
email = Uploader.Form("email")
product = Uploader.Form("product")
quantity = Uploader.Form("quantity")
partner = Uploader.Form("partner")

' validation
Dim validationOK
validationOK=true
If name="" Then validationOK=False
If email="" Then validationOK=False
If quantity="" Then validationOK=False
If (validationOK=false) Then Response.Write("Error - Please fill in all fields.")

'Declare variables
Dim sch, cdoConfig, cdoMessage
sch = "http://schemas.microsoft.com/cdo/configuration/"
 
    Set cdoConfig = CreateObject("CDO.Configuration")
 
    With cdoConfig.Fields
        'Set CDO Port
        .Item(sch & "sendusing") = 2
        'Set mailserver name either IP address, mail.yoursite.com or localhost
        .Item(sch & "smtpserver") = "127.0.0.1"
        'Set SMTP port which is 25 by default
        .Item(sch & "smtpserverport") = 25
        'Set number of seconds before timeout
        .Item(sch & "smtpconnectiontimeout") = 60
        .update
    End With
 
    Set cdoMessage = CreateObject("CDO.Message")
 
    With cdoMessage
        Set .Configuration = cdoConfig
        .From = name
        .To = "localhost@localhost.com"
        .Subject = "Customark Logo Submission Form " & "(" & partner & ")"
        .HTMLBody = "Submission From: " & partner & vbCrLf & "Name: " & name & vbCrLf
        .AddAttachment attachment
        .Send
    End With
 
    Set cdoMessage = Nothing
    Set cdoConfig = Nothing

Dim ScriptObject
Set ScriptObject = Server.CreateObject("Scripting.FileSystemObject")
ScriptObject.DeleteFile(attachment)


Response.Write("Success")

%>

Note...  Do you realize that if there are multiple files uploaded, the way this page is currently written the "attachment" variable will only contain the name of the last file saved to disk, and therefore this will be the only file attached to the email?  The presence of the For Each loop makes it look like the user can submit more than one picture at a time.  If that's not the case, then you're good to go.  If you want all the pictures submitted to be attached to the message, your page will still need work.

0
 
LVL 16

Author Comment

by:JF0
ID: 17052809
They can only submit one. I noticed that too. Its a simple Logo upload, that is all. Let me try your code..
0
 
LVL 16

Author Comment

by:JF0
ID: 17052850
With your code, I get the following error. With my old code, it runs without the error. I don't know what is is.

Error Type:
(0x80070057)
One or more arguments are invalid
/fileuploader/customarksubmit.asp, line 103


Dim ScriptObject
Set ScriptObject = Server.CreateObject("Scripting.FileSystemObject")
ScriptObject.DeleteFile(attachment)                     <----------- Line 103


Response.Write("Success")

%>
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 13

Accepted Solution

by:
jmundsack earned 250 total points
ID: 17052853
It just occurred to me that if the user uploaded a file with a different extension, the .AddAttachment would fail.  You'll need to short-circuit the sending of the email in this case.  Perhaps:

        If CBool(InStr("gif,jpg,jpeg,ai,psd,eps", ext)) Then

            ' Save the file
            File.SaveToDisk "C:\Inetpub\wwwroot\fileuploader\files"          

            ' Make variable with location of previously uploaded file
            Dim attachment
            attachment="C:\Inetpub\wwwroot\fileuploader\files\" & File.FileName

        Else

            'do something if they uploaded a bad extension
            Response.Write "Invalid attachment."

        End If

And then change the .AddAttachment statement to:

        If Len(attachment) > 0 Then .AddAttachment attachment

0
 
LVL 13

Expert Comment

by:jmundsack
ID: 17052860
Yeah, missed that one, too.  You'll need to change that to:

If Len(attachment) > 0 Then ScriptObject.DeleteFile(attachment)

0
 
LVL 16

Author Comment

by:JF0
ID: 17052882
ok, give me a minute to try to get it.
0
 
LVL 16

Author Comment

by:JF0
ID: 17052958
Awesome. That works great! About having a size limit, would I just ammend the following with the proper statement:

  If CBool(InStr("gif,jpg,jpeg,ai,psd,eps", ext)) AND FILESIZE IS <= 10MB Then

            ' Save the file
            File.SaveToDisk "C:\Inetpub\wwwroot\fileuploader\files"          

               '
               '
               ' rest of code

0
 
LVL 13

Expert Comment

by:jmundsack
ID: 17053009
Well, I'm not entirely familiar with the properties of the File object, which is apparently defined in the upload.asp file.  I know it has a .FileName property, and it probably has a .Size property but I can't be sure without seeing the contents of upload.asp.  Let's assume there is a .Size property--in that case, your code would be:

  If CBool(InStr("gif,jpg,jpeg,ai,psd,eps", ext)) AND File.Size <= (10240000000#) Then

0
 
LVL 16

Author Comment

by:JF0
ID: 17053041
it has a FileSize property. I will try it and award you the points because you have already solved my biggest problem. thank you.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have helped a lot of people on EE with their coding sources and have enjoyed near about every minute of it. Sometimes it can get a little tedious but it is always a challenge and the one thing that I always say is:  The Exchange of information …
This demonstration started out as a follow up to some recently posted questions on the subject of logging in: http://www.experts-exchange.com/Programming/Languages/Scripting/JavaScript/Q_28634665.html and http://www.experts-exchange.com/Programming/…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

948 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now