0

I have a file upload form that uses FileUpload control in asp.net 4.0. On my upload button i check the file that is being submitted for some restrictions like this:

FileUpload fu = new FileUpload();

    if (fu.HasFile)
    {
        if ((extension == ".jpg") || (extension == ".png") || (extension == ".gif"))
        {
             if (fu.PostedFile.ContentLength <= 2MB)
             {
                 fu.SaveAs("path"); // save the file on the server
                 // check file header ...       
             }
         }
    }

The problem is that when i submit a video (which obviously has a different extension and size > 2MB) instead of checking this on the client and give the error i have set up, it uploads it and then the client receives the error. Problem is what if the client submits a 1GB file?! I mean, how does it pass from extension and size validation to SaveAs(), i can't understand. Any opinions? Thanks!

Improve this question

3 Answers 3

Reset to default
2

Unfortunately, that code runs on the server, which means it can only do those checks after the file has been uploaded.

If the user attempts to upload a very large file, the request length limits (defined in web.config) will catch it, and the upload will be aborted once the limit is reached.

Other than that, you really do have to check the file on the server; and you should check more than just the extension. Someone could easily change the extension of a file to something else. That may or may not be an actual problem - but most likely is! (if nothing else, subsequent website users would see broken image placeholders when the browser tries to load a Word document as if it were an image, for example)

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

I got it, i rememeber now that in my web.config file i have set the maxRequestLength="40960" which means the request is 40 MB of uploading at once. My question is, since a user can upload multiple files (each one via it's own FileUpload control) if i set the maxRequestLength to 1MB is that for each fileupload control or the sum of all the file sizes from all controls? All images (max 20) are uploaded with a button click, so is that a single request?
@osmiumbin It's actually for the whole request; so yes, all of the files would be included, plus the rest of the HTTP request (such as cookies, the path, querystring values, other form values, etc)
Well, any idea i could limit the request for each file? I just don't want the users to be able to submit any filesize they want. It consumes bandwidth and other bad things. Thanks.
0

IS this your actual code? What is 2MB? It's not a string or an integer. I'm surprised it even compiled. You should have something like this:

 int iFileSize = file.ContentLength;


    if (iFileSize > 1000000)  // 1MB approx (actually less though)
    {
        // File is too big so do something here
        return;
    }
Improve this answer

2 Comments

it's not the exact code, it was just an easier representation of my code. thanks
Well, you could attach a client side event to validate the content of the file being uploaded. Check this out: beansoftware.com/ASP.NET-FAQ/FileUpload-Validation.aspx
0

if you are using html5 then you can use FileReader. FileReader Javascript

  1. You can validate from client side for size, content type.
  2. once it get validated, you can post it to the server.

code taken from : FileReader Javascript

<script>
  function handleFileSelect(evt) {
    var files = evt.target.files; // FileList object

    // files is a FileList of File objects. List some properties.
    var output = [];
    for (var i = 0, f; f = files[i]; i++) {
      output.push('<li><strong>', escape(f.name), '</strong> (', f.type || 'n/a', ') - ',
                  f.size, ' bytes, last modified: ',
                  f.lastModifiedDate ? f.lastModifiedDate.toLocaleDateString() : 'n/a',
                  '</li>');
    }
    document.getElementById('list').innerHTML = '<ul>' + output.join('') + '</ul>';
  }

  document.getElementById('files').addEventListener('change', handleFileSelect, false);
</script>

polyfills for filereader

  1. Filereader polyfill
  2. Browser Support.
Improve this answer

2 Comments

Sorry but i won't use html5. Not all browsers support it. thanks.
@osmiumbin you can use polyfilss.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.