Prevent users from uploading invalid file source code

Upload | Upload after the recent debugging, the Madman wrote a log on April 12, "user upload to produce invalid file solution" Code section has been completed. You are welcome to criticize and correct for improvement.

[filename]:upload.asp
[Code]:
<% @LANGUAGE = "VBSCRIPT" codepage= "936"%>
<!--#i nclude virtual= "Upload.inc"-->
<%
If Request.ServerVariables ("request_method") = "POST" Then
' Form submission execution
CONST upfilesize=100 ' file size limit, in kilobytes: KB
CONST upfiletype= ". Gif.jpg.jpeg" ' File type limit, can be modified as needed
CONST targetpath= "/publish/images/" "to store a path to a file in the root directory of the Web site, ending with"/"

Dim Upload,thisfile,formname,icount
Set upload=new upload_5xsoft ' Build upload Object

Flag=true ' initialization file Upload ID
For every formName in Upload.ifile ' lists all the parameters of the uploaded file
Set Thisfile=upload.ifile (formName) ' generates a File object

If Thisfile.filesize=0 Then
Flag=false
msg= "Please select the file you want to upload." "
Call Showerr (MSG)
End If

If thisfile.filesize>upfilesize*1024 Then
Flag=false
msg= "File size exceeds the limit. "
Call Showerr (MSG)
End If

If Instr (Upfiletype,getextendname (thisfile). FileName)) =0 Then
Flag=false
msg= file format does not meet the requirements. "
Call Showerr (MSG)
End If

If Flag Then
' Create a temporary upload folder
Temppath= "/publish/images/" &Session.SessionID& "/"
Set fso= CreateObject ("Scripting.FileSystemObject")
If not FSO. FolderExists (Server.MapPath (TempPath)) Then
' folder does not exist then create
Fso. CreateFolder (Server.MapPath (TempPath))
Set fso=nothing
End If

' Perform file upload operations
Setfilename=now () ' Get current time as filename
Setfilename=replace (Setfilename, "-", "") ' Remove date format character '-'
Setfilename=replace (Setfilename, "", "") ' Remove space
Setfilename=replace (Setfilename, ":", "") &getextendname (thisfile. FileName) ' Remove time format character ': ' and add file name extension
Thisfile. SaveAs Server.MapPath (Temppath&setfilename)
End If
Next

Call Resulttip ()
Response.End ()
End If
%>
<meta http-equiv= "Content-type" content= "text/html; charset=gb2312 ">
<title></title>
<style type= "Text/css" >
<!--
Body {
font-size:12px;
}
-->
</style>

<body leftmargin= "0" topmargin= "0" >
<form action= "" method= "Post" enctype= "Multipart/form-data" name= "Frm_pic" >
<input type= "File" name= "file" >
<input type= "Submit" name= "submit" value= "Upload" >
</form>
1, only upload <%=upFileType%> format of the picture <br>
2, the picture size please within <%=upfilesize%>k <br>
3, please be responsible for the picture content that you upload
</body>
<%
Sub Resulttip ()
' This procedure is used to display the results of the upload operation
Response.Write ("Response.Write ("<meta Http-equiv=content-type content=text/html; Charset=gb2312> ")
Response.Write ("<title></title>Response.Write ("<script>parent.frm_publish.") P_image.value= ' &setFileName& ' </script> ') ' Pass file name to hidden form control of parent file
Response.Write ("<body leftmargin=0 topmargin=0>")
Response.Write ("<table><tr><td><font color=red><b> image upload Success </b></font> </td></tr></table> ")
Response.Write ("</body>

End Sub

Function Getextendname (FileName)
' This procedure is used to get the extension of the uploaded source file
Dim extname
Extname = LCase (FileName)
Extname = Mid (Extname,instrrev (Extname, "."))
Getextendname = Extname
End Function

Sub Showerr (msg)
' This procedure is used to display action error messages
Response.Write (msg)
Call Closeobject ()
Response.End ()
End Sub

Sub Closeobject ()
' This procedure is used to close objects
Set upload=nothing
Set thisfile=nothing
End Sub
%>

The above source code as long as a slight modification can be. It is best to invoke a parent file using an IFRAME tag. The hidden form control named <input name= "P_image" type= "hidden" id= "p_image" value= "0", and the table Single-name to "Parent.frm_publish", is used to record file names after uploading. If the table Single-name and the name of the control change, the corresponding source code Red callout part also to make corresponding changes, otherwise cannot pass the value.

[filename]:upload.asp
[Code]:
<% @LANG