C
chuckdfoster
I have a page that users upload files. Is there a way to restrict the file
types that they can upload?
thanks,
types that they can upload?
thanks,
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
G
Guest
Chuck,
You can use javascript to check the path entered by the user. Taking
asp.net's programming model i would suggest that you use a custom validator
and write custom validation script for client side and server side.
on your submit button set causuesvalidation to true.
in javascript you basically look for the file type and see if it matches one
you want. if yes then then set isValid to true else false and flag an error
message.
have a look at
http://aspnet.4guysfromrolla.com/articles/073102-1.aspx
http://www.411asp.net/home/tutorial/specific/web/userinte/webcontr/customva
HTH
Regards,
Hermit Dave
http://hdave.blogsot.com
You can use javascript to check the path entered by the user. Taking
asp.net's programming model i would suggest that you use a custom validator
and write custom validation script for client side and server side.
on your submit button set causuesvalidation to true.
in javascript you basically look for the file type and see if it matches one
you want. if yes then then set isValid to true else false and flag an error
message.
have a look at
http://aspnet.4guysfromrolla.com/articles/073102-1.aspx
http://www.411asp.net/home/tutorial/specific/web/userinte/webcontr/customva
HTH
Regards,
Hermit Dave
http://hdave.blogsot.com
P
Peter Blum
There are some challenges to validate the file type.
1. When you use the <input type='file'> tag, you cannot customize it to
restrict the file type by extension.
2. When you use the <input type='file'> tag, you also set the <form
enctype='multipart/form-data'>
This setting never passes the file path back to the server. It only passes
the file content. Therefore you cannot validate the file path on the server
side. So your code must be limited to client-side javascript to test the
field's pattern.
3. There is no guarantee that the browser will run your client-side code.
Microsoft's validators are limited to DHTML browsers (IE and IE/Mac) and if
the user turns of javascript, even those browsers don't work.
4. A user (in particular, a hacker) can rename an illegal file to have one
of your accepted file extensions. You must defend against this.
As a result, you have to take a different approach from looking at the file
path for a valid extension. You must allow the file to download into a
quarantined area of your server, then use some software designed to open the
file and check its contents for what you need it to be. (I'm not an expert
in file formats so I cannot recommend any particular solutions for this but
I'm sure there are third party solutions.)
Once you have this in place, you can call it from a CustomValidator on the
server side to confirm the file is valid.
--- Peter Blum
www.PeterBlum.com
Email: (e-mail address removed)
Creator of "Professional Validation And More" at
http://www.peterblum.com/vam/home.aspx
1. When you use the <input type='file'> tag, you cannot customize it to
restrict the file type by extension.
2. When you use the <input type='file'> tag, you also set the <form
enctype='multipart/form-data'>
This setting never passes the file path back to the server. It only passes
the file content. Therefore you cannot validate the file path on the server
side. So your code must be limited to client-side javascript to test the
field's pattern.
3. There is no guarantee that the browser will run your client-side code.
Microsoft's validators are limited to DHTML browsers (IE and IE/Mac) and if
the user turns of javascript, even those browsers don't work.
4. A user (in particular, a hacker) can rename an illegal file to have one
of your accepted file extensions. You must defend against this.
As a result, you have to take a different approach from looking at the file
path for a valid extension. You must allow the file to download into a
quarantined area of your server, then use some software designed to open the
file and check its contents for what you need it to be. (I'm not an expert
in file formats so I cannot recommend any particular solutions for this but
I'm sure there are third party solutions.)
Once you have this in place, you can call it from a CustomValidator on the
server side to confirm the file is valid.
--- Peter Blum
www.PeterBlum.com
Email: (e-mail address removed)
Creator of "Professional Validation And More" at
http://www.peterblum.com/vam/home.aspx
Ask a Question
Want to reply to this thread or ask your own question?
You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.
Similar Threads
Forum statistics
Latest Threads
-
Reverse search for a website
- Started by DRCM
-
What are the key advantages of using a SaaS (Software as a Service) model for application development?
- Started by remotedevelopers
-
How to build a database-driven web page
- Started by av3mar1a153
-
Hola
- Started by luuciefer
-
Using a DTSX file with GoDaddy
- Started by IBMJunkman
-
Hello Everyone
- Started by welly
-
Problem with code
- Started by camilin05