this is another good idea as well. One problem with peeking into the stream is sometimes you can get errors with uploading the file, i have found that i actually have to dump the stream and re-upload the whole thing from the beginning after peeking at
the first few bytes, if not sometimes the images does not re-assemble itself. This looks like a good solution if it works.
It shouldn't matter if a .exe file is being renamed to .jpg or .gif or whatever because it won't execute the file unless it's .exe. The image browser will simply try to open the file and get a error as it's not reconizeable. But as mentioned I think you'll
get the problem sorted if you load the image into a System.Drawing.Image, and use the FromStream() method, then you could also validate the image size and dimension to make sure it's not huge.
A bit of late reply but if some people are still searching this forums as I were then it could be handy.
You just saw an easy way to add some ASP.NET validation server controls to your ASP.NET page to perform a client side validation of the file extension (in just a textual manner). Now let's take a look at how to perform a similar operation on the server-side.
It's a common mistake is to think that Validation Controls only work on client side, however, they ALSO work on server side, so why would you need to implement this code?
Client side scripts can never be considered a solution, because you cannot trust them. At the most, they can help, preventing unneccesary postbacks to the server and provide a richer UI, but that's it! All validation should be done at serverside also!
glad to see this thread still sparks debate all this time later.
hans v is right. client side script can only be used to filter blatent extension differences - a server side solution is the only way to determine if a file is really of a given type. reading the file stream is still my favourite but i do like attempting
to create an image from the stream and seeing if that returns a valid image or not. It would be interesting to see if any malicious file types can either:
a) mimic an imagetype for the first (x) bytes of the stream....
b) trick the Image.FromStream method to create an image (dont know if that was the exact method name but you get what i saying)
The image from stream method though probably requires the whole file to already be transmitted to the server, where reading the stream you can just grab a subset and dump it if you want too.
mcmcomasp
Contributor
6834 Points
1436 Posts
Re: Fileupload: allow only .jpg .gif and .png
Jul 09, 2008 04:31 PM|LINK
this is another good idea as well. One problem with peeking into the stream is sometimes you can get errors with uploading the file, i have found that i actually have to dump the stream and re-upload the whole thing from the beginning after peeking at the first few bytes, if not sometimes the images does not re-assemble itself. This looks like a good solution if it works.
mcm
tsolbayar
Member
58 Points
36 Posts
Re: Fileupload: allow only .jpg .gif and .png
Sep 06, 2009 09:48 AM|LINK
if (FileUpload1.HasFile)
{
try
{
if (FileUpload1.FileContent.Length == 2097152)
{
file_ext = System.IO.Path.GetExtension(FileUpload1.FileName).ToUpper();
if (file_ext == ".BMP")
{
int j, mn;
try
{
FileUpload1.SaveAs(Server.MapPath("UploadFiles") + "\\" + FileUpload1.FileName);
}
catch (DirectoryNotFoundException exc)
{
try
{
System.IO.Directory.CreateDirectory(Server.MapPath("UploadFiles"));
}
catch (Exception ex)
{
// handling code is here…
}
}
}
else if (file_ext == ".JPG")
{
int j, mn;
try
{
FileUpload1.SaveAs(Server.MapPath("UploadFiles") + "\\" + FileUpload1.FileName);
}
catch (DirectoryNotFoundException exc)
{
try
{
System.IO.Directory.CreateDirectory(Server.MapPath("UploadFiles"));
}
catch (Exception ex)
{
// handling code is here…
}
}
}
else if (file_ext == ".PNG")
{
int j, mn;
try
{
FileUpload1.SaveAs(Server.MapPath("UploadFiles") + "\\" + FileUpload1.FileName);
}
catch (DirectoryNotFoundException exc)
{
}
}
else
{
Label3.Text = "Only.jpg, .bmp, .png, .jpeg, .gif extensions have allowed";
}
}
else
{
Label3.Text = "File maximum size is 2MB";
}
}
catch (Exception exc)
{
// handling code is here…
}
}
i have written this code. maybe it will help you. try this one
ArneB
Member
14 Points
41 Posts
Re: Fileupload: allow only .jpg .gif and .png
Oct 14, 2009 06:40 AM|LINK
Let me introduce || (or) and && (and) to you tsolbayar :)
write your if check like this using ||
if (file_ext == ".BMP" || ile_ext == ".BMP" || file_ext == ".PNG")
It shouldn't matter if a .exe file is being renamed to .jpg or .gif or whatever because it won't execute the file unless it's .exe. The image browser will simply try to open the file and get a error as it's not reconizeable. But as mentioned I think you'll get the problem sorted if you load the image into a System.Drawing.Image, and use the FromStream() method, then you could also validate the image size and dimension to make sure it's not huge.
A bit of late reply but if some people are still searching this forums as I were then it could be handy.
sensei_cz1
Member
17 Points
12 Posts
Re: Fileupload: allow only .jpg .gif and .png
Jan 21, 2010 08:52 AM|LINK
I believe there is much easier way how to find out whether posted binary data are image or not:
Image uploadedImage = null; if (ImageUpload.HasFile && ImageUpload.FileName != string.Empty && ImageUpload.FileContent.Length > 0) { try { uploadedImage = Image.FromStream(ImageUpload.PostedFile.InputStream); } catch (Exception ex) { lblUploadStatus.Text = "Selected file is not an image.<br />" + ex.Message; } if (uploadedImage != null) { string savePath = string.Format("{0}/{1}", Server.MapPath("~/images/orig/upload_temp"), ImageUpload.FileName); uploadedImage.Save(savePath, ImageFormat.Jpeg); } }Hope this will help.
hans_v
All-Star
35998 Points
6551 Posts
Re: Fileupload: allow only .jpg .gif and .png
Jan 21, 2010 08:21 PM|LINK
It's a common mistake is to think that Validation Controls only work on client side, however, they ALSO work on server side, so why would you need to implement this code?
hans_v
All-Star
35998 Points
6551 Posts
Re: Fileupload: allow only .jpg .gif and .png
Jan 21, 2010 08:24 PM|LINK
Even if you're sure that you're dealing with an image, you still not sure!
http://forums.asp.net/t/1514476.aspx
hans_v
All-Star
35998 Points
6551 Posts
Re: Fileupload: allow only .jpg .gif and .png
Jan 21, 2010 08:30 PM|LINK
Client side scripts can never be considered a solution, because you cannot trust them. At the most, they can help, preventing unneccesary postbacks to the server and provide a richer UI, but that's it! All validation should be done at serverside also!
mcmcomasp
Contributor
6834 Points
1436 Posts
Re: Fileupload: allow only .jpg .gif and .png
Jan 21, 2010 08:43 PM|LINK
glad to see this thread still sparks debate all this time later.
hans v is right. client side script can only be used to filter blatent extension differences - a server side solution is the only way to determine if a file is really of a given type. reading the file stream is still my favourite but i do like attempting to create an image from the stream and seeing if that returns a valid image or not. It would be interesting to see if any malicious file types can either:
a) mimic an imagetype for the first (x) bytes of the stream....
b) trick the Image.FromStream method to create an image (dont know if that was the exact method name but you get what i saying)
The image from stream method though probably requires the whole file to already be transmitted to the server, where reading the stream you can just grab a subset and dump it if you want too.
mcm
sarojsigdel
Member
15 Points
8 Posts
Re: Fileupload: allow only .jpg .gif and .png
Feb 20, 2010 09:04 PM|LINK
go to http://southdesk.com/content/aspnet-file-uploader-validation-file-type-and-file-size to see solution
sarojsigdel
Member
15 Points
8 Posts
Re: Fileupload: allow only .jpg .gif and .png
Feb 20, 2010 09:05 PM|LINK