[ASP.net] Two ways to restrict uploading file types

Intermediary transaction http://www.aliyun.com/zixun/aggregation/6858.html ">seo diagnose Taobao guest cloud host technology Hall

In general, to prevent security problems caused by users uploading unwanted files, such as Trojans and hackers, web programs restrict the types of files that users allow to upload. What this article will describe is how to use the built-in properties of Web control in a asp.net application to simply and efficiently implement the ability to limit the type of uploaded files.

Before the SaveAs method that calls the Postfile object saves the uploaded file, the file name can be uploaded by the FileName property of the Postfile object. With the upload file name, you can use a file suffix than the name of the method to know whether the uploaded files belong to the file type allowed to upload.

Based on this idea, we get the following code:

If path.getextension (Sfilepath) <> ". zip" Then

Label2.Text = "This application only allows uploading of files in zip format, please select again!"

Return

If you upload a file with a suffix name other than zip, you will find that the file cannot be uploaded. However, this also means that we cannot upload files in other formats. In fact, if before uploading, the file suffix name in advance to the zip, the above code will be out of effect.

The reason for this is that the above judgment is only a filename string, and there is no further analysis of the file format. Therefore, if you want to completely limit the file types uploaded, you need to use the ContentType property of the Postfile object. The function of the ContentType property is to get the MIME (note) content type of the file sent by the client, because the browser will first determine the MIME type of the sent content before sending the request to the server and submit the MIME type as part of the information to the server side. With MIME type information (Note II), you can accurately know the actual type of uploaded files.

If File1.PostedFile.ContentType <> "Application/zip" Then

Label2.Text = "This application only allows uploading of files in zip format, please select again!"

At this point, if you use the method of modifying the suffix name, you will find that you can no longer upload the file.

Note: MIME is a technical specification, which is translated into a Multipurpose Internet Mail Extension (multipurpose), which is primarily used to represent files in different encoding formats during Internet transmission;

Note two: To get a MIME definition for a different file format, just start Registry Editor, and then find the registry key that corresponds to the suffix name under HKEY_CLASSES_ROOT, and if there is a MIME definition of the file format, a key named "Content Type" appears in the right window. , and the value of this key is the MIME definition of the file format.

The above two methods of mixing, upload files are basically limited. But if some of those who are willing to change the contents of the MIME value of the registry can upload malicious programs, if so, only the reinforcement program and the system, do not let it change the upload file extension. Or a custom control that uses more stringent detection measures