Solved

ASP.Net File upload control limit file extensions

Posted on 2009-03-31
10
2,174 Views
Last Modified: 2012-05-06
How can I limit the type of files that are allowed to be uploaded using the code below?
Imports System.IO
Partial Class _Default
    Inherits System.Web.UI.Page
    Protected Sub btnSubmit_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles btnSubmit.Click
 
        Dim con As New System.Data.OleDb.OleDbConnection
        Dim myPath As String
 
 
        myPath = Server.MapPath("App_Data/BestPractices.mdb")
        con.ConnectionString = "Provider=Microsoft.Jet.OLEDB.4.0; Data source=" & myPath & ";"
 
        Dim insCmd As New System.Data.OleDb.OleDbCommand
 
        'insCmd.CommandText = "insert into Data (Import_Export,Location,Descp,Cont,Share_MDY) values('" & ddType.SelectedValue & "','" & Replace(txtLocation.Text, "'", "''") & "','" & Replace(txtDescription.Text, "'", "''") & "','" & Replace(txtContact.Text, "'", "''") & "',#" & StartDatetxt.Text & "#)"
 
        insCmd.CommandText = "insert into Data (Import_Export,Location,Descp,Contact,Share_MDY) " & _
                     " values('" & ddType.SelectedValue & "','" & Replace(txtLocation.Text, "'", "''") & "','" & _
                     Replace(txtDescription.Text, "'", "''") & "','" & Replace(txtContact.Text, "'", "''") & "',#" & _
                     StartDatetxt.Text & "#)"
 
 
 
        insCmd.Connection = con
 
        Dim idCmd As New System.Data.OleDb.OleDbCommand
 
        idCmd.Connection = con
        con.Open()
        insCmd.ExecuteNonQuery()
        con.Close()
 
 
        Dim strStatusMessage As String
 
        Try
            Dim hfc As HttpFileCollection = Request.Files
 
            For i As Integer = 0 To hfc.Count - 1
 
                Dim hpf As HttpPostedFile = hfc(i)
 
 
                If hpf.ContentLength > 0 Then
 
                    If Not File.Exists(Server.MapPath("~/uploads/") & "\" & Path.GetFileName(hpf.FileName)) Then
 
                        hpf.SaveAs(Server.MapPath("~/uploads/") & "\" & Path.GetFileName(hpf.FileName))
                        strStatusMessage = "File saved at: \\cletnsrv01\EBE\Reports_Data_List_Charts\Best Practice Sharing\"
                    Else
                        strStatusMessage = "Diddnt Overwrite"
                    End If
                End If
 
            Next i
 
 
        Catch Ex As Exception
            strStatusMessage = "Unable to save the uploaded file.  " _
             & "The error was: " & Ex.Message
 
        Finally
            lblSaveResults.Visible = True
            lblSaveResults.Text = strStatusMessage
            lblreceive.Visible = True
            tblresults.Visible = True
            lblFileName1.Text = FileUpload1.PostedFile.FileName
            lblFileType1.Text = FileUpload1.PostedFile.ContentType
            lblFileSize1.Text = FileUpload1.PostedFile.ContentLength
 
 
            If FileUpload2.HasFile Then
                lblFileName2.Text = FileUpload1.PostedFile.FileName
                lblFileType2.Text = FileUpload1.PostedFile.ContentType
                lblFileSize2.Text = FileUpload1.PostedFile.ContentLength
            Else
                lblFileName2.Text = ""
                lblFileType2.Text = ""
                lblFileSize2.Text = ""
 
                If FileUpload3.HasFile Then
                    lblFileName3.Text = FileUpload1.PostedFile.FileName
                    lblFileType3.Text = FileUpload1.PostedFile.ContentType
                    lblFileSize3.Text = FileUpload1.PostedFile.ContentLength
                Else
                    lblFileName3.Text = ""
                    lblFileType3.Text = ""
                    lblFileSize3.Text = ""
 
                    If FileUpload4.HasFile Then
                        lblFileName4.Text = FileUpload1.PostedFile.FileName
                        lblFileType4.Text = FileUpload1.PostedFile.ContentType
                        lblFileSize4.Text = FileUpload1.PostedFile.ContentLength
                    Else
                        lblFileName4.Text = ""
                        lblFileType4.Text = ""
                        lblFileSize4.Text = ""
                    End If
                End If
            End If
        End Try

Open in new window

0
Comment
Question by:ITHelper80
  • 5
  • 4
10 Comments
 
LVL 23

Expert Comment

by:apresto
ID: 24030737
If you want to simply check the extension of a file you can use the FileInfo class of the System.IO namespace.
FileInfo file = new FileInfo("C:\\myfile.asp");
then you can access the extension with the file.Extension attribute of this object. Knowing this you can create an If/Switch statement to carry out an action depending on the extension
0
 
LVL 23

Expert Comment

by:apresto
ID: 24030752
Or, you can just use this:
System.IO.Path.GetExtension(this.hpf.PostedFile.FileName);
0
 
LVL 6

Author Comment

by:ITHelper80
ID: 24031706
Could you offer a snippet of how to use System.IO.Path.GetExtension(this.hpf.PostedFile.FileName);
to prevent someone from uploading say an .exe file?
0
Master Your Team's Linux and Cloud Stack

Come see why top tech companies like Mailchimp and Media Temple use Linux Academy to build their employee training programs.

 

Accepted Solution

by:
godirect earned 275 total points
ID: 24032179
You could throw a ExpressionValidator out there and make sure to validate before running anything.


<asp:RegularExpressionValidator id="RegularExpressionValidator1" runat="server" ErrorMessage="Upload Excel, PDF and ZIP files only." ValidationExpression="^(([a-zA-Z]:)|(\\{2}\w+)\$?)(\\(\w[\w].*))(.xls|.XLS|.pdf|.PDF|.zip|.ZIP|.Zip)$" ControlToValidate="hpf" Display="None"></asp:RegularExpressionValidator>

Open in new window

0
 
LVL 6

Author Comment

by:ITHelper80
ID: 24033374
Godirect.

Your validation code does work except when I click on the submit button its tries to validate the field again and throw an error. How can I stop that?
0
 
LVL 23

Expert Comment

by:apresto
ID: 24034987
You can set the "CausesValidation" attribute in the button to false, but this means that when you click submit it will not validate any of the form.
<asp:Button runat="server" CausesValidation="false"...
And in response to your previous question, you can use the System.IO Example like this: (but godirect's is a better solution)

   If System.IO.Path.GetExtension(this.hpf.PostedFile.FileName).ToLower() = "exe" Then
      //This file is invalid, do something
   Else
      //This IS a valid file, do something else
   End If

Open in new window

0
 
LVL 6

Author Comment

by:ITHelper80
ID: 24035024
Thanks apresto but my problem I am doing validation of other fields so I cant disable that attribute.
0
 
LVL 23

Assisted Solution

by:apresto
apresto earned 225 total points
ID: 24035036
Ok, well add the attributes that you want to have the button validate to a validation group, then add the button itself to a validation group and this should solve your problem.
Add this to the Validation Controls and the Button that fires the validation:
...runat="server" ValidationGroup="MyValGroup" Id=".....
0
 
LVL 6

Author Comment

by:ITHelper80
ID: 24038445
Thanks that took care of it. Since both apresto and godirect help me solve this problem I am going to split the points. Thanks to you both.
0
 
LVL 23

Expert Comment

by:apresto
ID: 24038992
No problem, glad we could help
Apresto
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

International Data Corporation (IDC) prognosticates that before the current the year gets over disbursing on IT framework products to be sent in cloud environs will be $37.1B.
If you need to start windows update installation remotely or as a scheduled task you will find this very helpful.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question