Fileupload control of ASP. NET Control

You can use the fileupload control to send files from your computer to your server.

You can use the fileupload control to perform the following operations:

Enables users to upload files stored on servers at specific locations.

Restrict the size of files that can be uploaded.

Check its attributes before storing the uploaded files.

The fileupload control allows you to upload images, text files, or other files. The fileupload control displays a text box where you can enter the name of the file you want to upload to the server. The control also displays a "Browse" button, which displays a file navigation dialog box. (The displayed dialog box depends on the operating system of your computer .) For security reasons, file names cannot be preloaded into the fileupload control.

Process uploaded files
When you select a file to be uploaded and submit a page, the file will be uploaded as part of the request. The file will be completely cached in the server memory. After the file is uploadedCodeStart running.

You can access the uploaded files in the following ways:

As a byte array exposed in the filebytes attribute of the fileupload control.

As the stream published in The filecontent attribute.

It is an object of the httppostedfile type in the postedfile attribute. The postedfile object exposes attributes such as contenttype and contentlength, which provide you with information about the uploaded files.

During code execution, you can check the file features, such as the file name, size, and MIME type, and then save the file. Files can be used as byte arrays or streams. In addition, both the fileupload control and the httppostedfile object support the saveas Method for writing files to the disk.

There are no inherent restrictions on the storage location of uploaded files. However, to save the file, the ASP. Net process must have the permission to create the file at the specified location. In addition, applications mayProgramIt is a security measure to configure absolute paths rather than relative paths to save files. If you set the requirerootedsaveaspath attribute of the httpruntime configuration element to true (default), you must provide an absolute path when saving the uploaded file.

You can create an absolute path based on the root folder of the application by using the httpath method of the httpserverutility class and using the Tilde (~) that represents the root folder of the application (~) To this method.

The maximum file size that can be uploaded depends on the value set in the maxrequestlength configuration. If you try to upload a file larger than the maximum allowed value, the upload will fail.

Use the fileupload control in partial-page updates
The fileupload control is designed to be used only for sending back, but not for asynchronous sending back during partial pagination. When you use the fileupload control inside the updatepanel control, you must use the control of a postbacktrigger object on the panel to upload files. The updatepanel control is used to update the selected area of a page, instead of sending a response to update the entire page.

 

Security and fileupload controls
By using the fileupload control, you can upload malicious files, including script files and executable files. Files that can be uploaded by users cannot be limited in advance. If you want to restrict the types of files that can be uploaded by users, you must check the file features after the files are uploaded, such as the file extension and the value of the file contenttype attribute.

Before submitting the page, you can use the client script to check the file name you typed in the text box. Although it is useful to perform file name check on the client, this does not ensure that users cannot upload insecure file types, such as executable files.

Use the fileupload Web Server Control to upload files

1. Add the fileupload control to the page.

For security reasons, file names cannot be preloaded into the fileupload control.

2. In the event (such as the load event on this page) handler, perform the following operations:

A. Check whether the control has uploaded files by testing the hasfile attribute of the fileupload control.

B. Check the file name or MIME type to ensure that the user has uploaded the file you want to receive. To check the MIME type, obtain the httppostedfile object exposed as the postedfile attribute of the fileupload control. Then, you can obtain the MIME type of the sent file by viewing the contenttype attribute.

In some cases, the MIME type of uploaded files may be forged, so only checking the MIME type of files is not a reliable security check.

C. Save the file to your specified location. You can call the saveas method of the httppostedfile object. Alternatively, you can use the inputstream attribute of the httppostedfile object to manage uploaded files in the form of byte arrays or byte streams.

The following example shows how to use uploaded files. This code checks the hard-coded list of allowed file extensions for uploaded files and rejects all other types of files. Then, write the file to the uploadedimages folder of the current website. Save the file with the name of the uploaded file on the client computer. Because the filename attribute of the httppostedfile object returns the complete path of the file on the client computer, the filename attribute of the fileupload control is used.

Do not display the path and file name of the saved file to the user. This may expose useful information to malicious users.

Protected VoidPage_load (ObjectSender, eventargs E)
 

 
{
 

If(Ispostback)
 

 
{
 

Boolean fileok =False;
 

 
String Path = server. mappath ("~ /Uploadedimages /");
 

If(Fileupload1.hasfile)
 

 
{
 

String fileextension =
 

 
System. Io. Path. getextension (fileupload1.filename). tolower ();
 

 string [] allowedextensions = 

{< span style =" color: #006080 "> ". GIF ",  ". PNG ",  ". JPEG ",  ". jpg "}; 

For(IntI = 0; I <allowedextensions. length; I ++)
 

 
{
 

If(Fileextension = allowedextensions [I])
 

 
{
 

Fileok =True;
 

 
}
 

}
 

 
}
 

 
If(Fileok)
 

{
 

 
Try
 

{
 

 
Fileupload1.postedfile. saveas (Path
 

+ Fileupload1.filename );
 

 
Label1.text ="File Uploaded! ";
 

}
 

 
Catch(Exception ex)
 

{
 

 
Label1.text ="File cocould not be uploaded .";
 

}
 

 
}
 

Else
 

 
{
 

Label1.text ="Cannot accept files of this type .";
 

 
}
 

}
 

 
}