upload only document files

Question

i am trying to upload documents .user can be able to upload theri documents but he/she can be upload images istead of documents and i want to d restrict about this how to apply condition this is my upload code

            if (FileUploadControl.PostedFile != null && 
             FileUploadControl.PostedFile.ContentLength 
            > 0)
        {
            if
                (FileUploadControl.FileContent.Length < 100000)
            {
                string filename = 
                Path.GetFileName(FileUploadControl.PostedFile.FileName);
                string folder = Server.MapPath("~/Docfiles/");
                Directory.CreateDirectory(folder);
                FileUploadControl.PostedFile.SaveAs(Path.Combine(folder, filename));
                try
                {
                    cc.upload1(Txt_docde.Value, txt_dname.Value, 
              FileUploadControl.FileName, Convert.ToInt32(Docdrop.SelectedValue),
                       Convert.ToInt32(DropDownList2.SelectedValue), 
              Convert.ToString(Session["Login2"]),Convert.ToInt32(Session["UserID"]));
                    StatusLabel.ForeColor = System.Drawing.Color.Green;
                    //StatusLabel.ForeColor = System.Drawing.FontStyle.Bold;
                    StatusLabel.Text = "Success";
                }
                catch
                {
                    StatusLabel.ForeColor = System.Drawing.Color.Red;
                    Label2.Text = "Failed";


                }
            }
                else
            {
                 StatusLabel.ForeColor = System.Drawing.Color.Red;
                            Label2.Text = "File Size to big";
            }
        }

Stan · Accepted Answer · 2013-11-13T18:04:58.177

Make generic list of extensions you want to allow and then check if file you are trying to upload meets that extension requirement.

var allowedExtensions = new string[] { "doc", "docx", "pdf" };
var extension = Path.GetExtension(FileUploadControl.PostedFile.FileName).ToLower().Replace(".", "");

if (allowedExtensions.Contains(extension))
{
    // Good to go
}

Here is full code for you

if (FileUploadControl.PostedFile != null && FileUploadControl.PostedFile.ContentLength > 0)
{
    var allowedExtensions = new string[] { "doc", "docx", "pdf" };
    var extension = Path.GetExtension(FileUploadControl.PostedFile.FileName).ToLower().Replace(".", "");

    if (FileUploadControl.FileContent.Length < 100000 && allowedExtensions.Contains(extension))
    {
        string filename = 
        Path.GetFileName(FileUploadControl.PostedFile.FileName);
        string folder = Server.MapPath("~/Docfiles/");
        Directory.CreateDirectory(folder);
        FileUploadControl.PostedFile.SaveAs(Path.Combine(folder, filename));

        try
        {
            cc.upload1(Txt_docde.Value, txt_dname.Value, FileUploadControl.FileName, Convert.ToInt32(Docdrop.SelectedValue), Convert.ToInt32(DropDownList2.SelectedValue),  Convert.ToString(Session["Login2"]),Convert.ToInt32(Session["UserID"]));
            StatusLabel.ForeColor = System.Drawing.Color.Green;
            StatusLabel.Text = "Success";
        }
        catch
        {
            StatusLabel.ForeColor = System.Drawing.Color.Red;
            Label2.Text = "Failed";
        }
    }
    else
    {
         StatusLabel.ForeColor = System.Drawing.Color.Red;
         Label2.Text = "File Size to big";
    }
}

i add this above this code or somwhere else...if (FileUploadControl.PostedFile != null && FileUploadControl.PostedFile.ContentLength > 0) { — user2931015, Nov 13 '13 at 17:57
You can add this just after you check for size `FileUploadControl.FileContent.Length < 100000`. You can pretty much add this code anywhere you want before `CreateDirectory` or `SaveAs` functions since no point in checking file when you already saved it, right? :) — Stan, Nov 13 '13 at 18:00
ok now in this ..if (allowedExtensions.Contains(extension)) { // Good to go } what code i write? — user2931015, Nov 13 '13 at 18:01

score 1 · Answer 2 · answered Nov 13 '13 at 17:46

1

Try something like this to validate the file type suffix that you are interested in:

if (string.Equals(fileExt, ".pdf", StringComparison.OrdinalIgnoreCase)) {...}

answered Nov 13 '13 at 17:46

IrishChieftain

15,108
7
50
91

somebody can easily updload document.exe.pdf (where some users dont have show file extensions and any hacker can change the icon to make it look like a word or pdf file) and send a fake MIME type(per other answer and you have a malicious document on your server. so I would just change above that to make sure there is no list of all todays executable files .exe msi zip rar shs – MichaelEvanchik Nov 13 '13 at 17:54

score 1 · Answer 3 · edited May 23 '17 at 10:31

1

You need to either check the extension of the posted file or its MIME type to detect whether it's the right format.

Go get the MIME type, check the ContentType property.

ASP.NET How to get MIME Type

edited May 23 '17 at 10:31

Community

1
1

answered Nov 13 '13 at 17:46

Tim

4,051
10
36
60

1

security wise, the mime type technically can be faked. But this is the correct answer, and it would also be wise to check the file extension as well as given below. – MichaelEvanchik Nov 13 '13 at 17:50

JoshRyan · Answer 4 · 2013-11-13T18:00:54.177

0

If you want to look for a specific file type you can use the Path.GetExtension method.

string fileExtension = Path.GetExtension(filename);

    if (fileExtension == ".doc") //or whatever file type your looking for
      {
        try
         { do your work }
      }

edited Nov 13 '13 at 18:00

answered Nov 13 '13 at 17:52

JoshRyan

23
1
6

upload only document files

4 Answers4