There are some challenges to validate the file type.
1. When you use the <input type='file'> tag, you cannot customize it to
restrict the file type by extension.
2. When you use the <input type='file'> tag, you also set the <form
enctype='multipart/form-data'>
This setting never passes the file path back to the server. It only passes
the file content. Therefore you cannot validate the file path on the server
side. So your code must be limited to client-side javascript to test the
field's pattern.
3. There is no guarantee that the browser will run your client-side code.
Microsoft's validators are limited to DHTML browsers (IE and IE/Mac) and if
the user turns of javascript, even those browsers don't work.
4. A user (in particular, a hacker) can rename an illegal file to have one
of your accepted file extensions. You must defend against this.
As a result, you have to take a different approach from looking at the file
path for a valid extension. You must allow the file to download into a
quarantined area of your server, then use some software designed to open the
file and check its contents for what you need it to be. (I'm not an expert
in file formats so I cannot recommend any particular solutions for this but
I'm sure there are third party solutions.)
Once you have this in place, you can call it from a CustomValidator on the
server side to confirm the file is valid.
--- Peter Blum
www.PeterBlum.com
Email: (e-mail address removed)
Creator of "Professional Validation And More" at
http://www.peterblum.com/vam/home.aspx