Asp.net File Upload detection type

I have only seen three types of File Upload detection types so far. The first is the file extension, and the second is the file header encoding, the header encoding of different types of files is different (for example, 255216 is JPG, 7173 is GIF, 6677 is BMP, 13780 is PNG, 7790 is exe, and 8297 is RAR ); the third is to detect the mime content type of the file. This articleArticleCodeMany reference networks are available.

Foreground files: the foreground files are the same in three methods.

<% @ Page Language = "C #" autoeventwireup = "true" codefile = "default. aspx. cs" inherits = "_ default" %>
<! Doctype HTML public "-// W3C // dtd xhtml 1.0 transitional // en" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<HTML xmlns = "http://www.w3.org/1999/xhtml">
<Head runat = "server">
<Title> No title page </title>
</Head>
<Body>
<Form ID = "form1" runat = "server">
<Div>
<Asp: fileupload id = "fileupload1" runat = "server"/>
<Asp: button id = "btn_upload" runat = "server" Onclick = "Btn_upload_click" text = "Upload"/>
</Div>
</Form>
</Body>
</Html>

Background File:

The first method is as low as the second method. You can upload the large file 1.txtto 1.jpg, but the implementation method is easy to understand and easy to implement. Therefore, many online users still adopt this method.

Public partial class _ default: system. Web. UI. Page {protected void btn_upload_click (Object sender, eventargs e) {Boolean fileok = false; string Path = server. mappath ("~ /Images/"); // determines whether the selected file if (fileupload1.hasfile) {// gets the file extension and converts it to lowercase string fileextension = system. io. path. getextension (fileupload1.filename ). tolower (); // only jpg and GIF image string [] allowextension = {". jpg ",". GIF "}; // perform a pair of for (INT I = 0; I <allowextension. length; I ++) {If (fileextension = allowextension [I]) {fileok = true; break ;}} else {response. write ("<SCRIPT> alert ('you have not selected file'); </SCRIPT>");} // if the extension meets the criteria, upload if (fileok) {fileupload1.postedfile. saveas (path + fileupload1.filename); response. write ("<SCRIPT> alert ('uploaded successfully'); </SCRIPT> ");}}}

the second method can be used to determine the file type in the true sense.

Public partial class _ default: system. web. UI. page {protected void btn_upload_click (Object sender, eventargs e) {try {// determine whether a file has been selected if (fileupload1.hasfile) {If (isallowedextension (fileupload1) {string Path = server. mappath ("~ /Images/"); fileupload1.postedfile. saveas (path + fileupload1.filename); response. write ("<SCRIPT> alert ('uploaded successfully'); </SCRIPT>") ;}else {response. write ("<SCRIPT> alert ('you can only upload jpg or GIF image'); </SCRIPT>") ;}} else {response. write ("<SCRIPT> alert ('you have not selected file'); </SCRIPT>") ;}} catch (Exception error) {response. write (error. tostring () ;}}// key function for determining the file type public static bool isallowedextension (fileupload hifile) {system. io. filestream FS = new system. io. filestream (hifile. postedfile. filename, system. io. filemode. open, system. io. fileaccess. read); system. io. binaryreader r = new system. io. binaryreader (FS); string fileclass = ""; // bit length must be determined. byte buffer; try {buffer = R. readbyte (); fileclass = buffer. tostring (); buffer = R. readbyte (); fileclass + = buffer. tostring ();} catch {} r. close (); FS. close (); If (fileclass = "255216" | fileclass = "7173") // The description 255216 is JPG, 7173 is GIF, 6677 is BMP, and 13780 is PNG; 7790 is exe, 8297 is RAR {return true;} else {return false ;}}}

However, the disadvantage is that filestream can only access local files and cannot access remote files (please kindly advise ). I tested it locally, but an error occurred while uploading it to the server, prompting that the file could not be found. Finally, set system. Io. filestream FS = new system. Io. filestream (hifile. postedfile. filename, system. Io. filemode. Open, system. Io. fileaccess. Read );
It cannot be changed to system. Io. Stream FS = hifile. postedfile. inputstream. Instead, I had to give up this method.

 

 

The third type is actually the first type of upload. You cannot upload the 1.txtfile to 1.jpg. Instead of detecting the file suffix, you can detect the mime content type of the file.

Public partial class _ default: system. Web. UI. Page {protected void btn_upload_click (Object sender, eventargs e) {Boolean fileok = false; string Path = server. mappath ("~ /Images/"); // determine whether the selected file has been selected if (fileupload1.hasfile) {// obtain the object mime content type string type = This. uploadfile. postedfile. contenttype. tolower (); If (type. contains ("image") // The MIME type of the image is "image/XXX". Only the image is determined here. {Fileok = true ;}} else {response. write ("<SCRIPT> alert ('you have not selected file'); </SCRIPT>");} // if the extension meets the criteria, upload if (fileok) {fileupload1.postedfile. saveas (path + fileupload1.filename); response. write ("<SCRIPT> alert ('uploaded successfully'); </SCRIPT> ");}}}
 

 

conclusion: Although method 1 is simple, it is not secure enough. method 2 is secure, but filestream cannot access remote files. Method 3 is secure, which is equivalent to method 2, it is also easy to implement and is recommended for use.