ASP.NET File upload - Validation - asp.net

In our application , we are using asp.net FileUpload control to upload files.
Requirement is , user should be able to upload only ".doc, .xls , .pdf" files.
System should not allow him to upload other files. To achieve this we are validating the extension of the uploaded file. If it is not valid then throwing error message.. this works fine..
But if i change the any exe file as .doc file , then system is allowing to upload. this should not happen.
Is there any way to validate the file with its content instead of its extension ..?

Check out this question/answer on stackoverflow. I belive this is a duplicate question.
Also, look into reading a file's magic number especially if you are just trying to determine if the file is one of a few acceptable types. Magic number Wikipedia

Uploadify is a good file uploading tool that I have found which allows you to specify which extensions you allow the user to see when uploading their files. It also has alot of other cool options and it is highly customizeable. It uses a combination of jquery and flash to allow the user to upload more than one file at a time as well (if desired).

Related

File Viewer for all extention for asp.net

I have archive website application, this software for archive all document a company. Admin this software upload any extension in this software like AutoCAD, images(png,gif,...), pdf file, etc, I want when user select a file show this file in viewer in browser, But I do not know what tool to use, please help me, thanks all.
Create an image from every file uploaded. Show that to end users.
There is no tool or component that will allow you to show all propriety file formats that exists today.
For every pariticular file format that you wont to support you must have code that understands that format, AFAIK component suite for ASP.NET that have biggest number of supported file formats is Aspose.NET :
http://www.aspose.com/.net/total-component.aspx

Determining .exe file in time of upload

I have developed File Upload web page in ASP.NET. Now user can rename a .exe file to txt or some other extension and upload the same. I want to restrict that. How I can implement that in ASP.NET?
The only safe way to do this is to get the byte [] from the file that has been posted and examine it to determine if the file is indeed in one of the formats you allow the user to upload. You don't need to save the file, you can just get the byte[] from the HttpPostedFile object.
Other than examining the content (looking for magic numbers, for example) there isn't an infallible way to make sure that the user is not attempting to upload something that you don't allow.

how can we prevent .exe type file upload in a website?

Suppose we have a example.exe file.
we first put that file in a new folder
and then zip that folder with any zipping software,
Can we prevent that zipped folder upload in a website?
how can we do that?
You cannot prevent it, because you can't tell what the browser is going to submit before it submits it. All you can do is when the file arrives on the server, check the file extension - if it's an exe (or a .zip and you open it up and find an .exe) then reject it.
You can use something like SWFupload to get a handle on the file before it's uploaded, but the best that'll do is tell you the name of the file.
Besides, they could just take "example.exe" change the name to "example.txt" and still upload it...
You check on the server. Checking with javascript in form.onsubmit is dumb because its quite simple to post a form with a file to the same URL and skip your super secure javascript powered page.

Open File Dialog Asp.Net

I am creating an excel report in vb.net using the office interop. When the report is completed I am saving the excel file on the C drive. The users have asked to save file anywhere they want not just the c drive. Can someone give me some code to popup an opend file dialog in asp.net?
I want the dialog to popup in a saveAs in ASP.NET. I know how to do it in win forms, but I am creating an excel report in asp.net and calling the worksheet objects SaveAs property that excepts a fileName. So right now I just hardcode a file name in there. The users want to choose a file location
I think what you want is actually rather simple.
You can't save a file to the user's computer due to security restrictions (would you want a website saving a file to your computer?)
What you need to do is:
Complete report
Save report file to location on server, IE (.../myWebsite/files/GUID/myReport.rpt)
Display link on next screen pointing to the report file
Doing this the user can right-click and save the file to wherever they want on their computer.
You can clean up these files on whatever schedule you would like.
Assuming you are actually talking about a desktop, winforms app then you can use the built in FileSaveDialog.
Official documentation is here:
http://msdn.microsoft.com/en-us/library/system.windows.forms.savefiledialog.aspx
but there are tons of tutorials explaining it out there:
http://www.google.co.uk/search?q=vb.net+savefiledialog
You can server files with the Open / Save dialog by using Response.TransmitFile().
The user is then presented with a save as dialog where they can choose the filename and the location on their computer.
You normally do this inside a HttpHandler. A simple one is described here:
http://blogs.msdn.com/petel/archive/2005/12/01/499189.aspx

ASP.NET File uploading-dynamic file names

I have a web page where i have an ASP.NET file upload control to upload files from client machine to Server.Now i want to do the uploading n number of times.Ex : I want to upload 100 files from my local pc to server.The 100 file names i can read from an excel file in my program.But is there any way to assign this file to the file upload control ?
No, as a security feature, FilUpload controls do not allow you to set what to download (imagine if you sign on to a website, and it is set to upload a passwords file or something).
Now there is probably another control, or a way to code around this, buut the FileUpload control will not allow it.
I would recommend using the jQuery Multifile Uploader which would take care of a UI (if you need one). And the actual uploads with Free ASP Uploads which takes care of the actual file transfer. Though it sounds like you are tkaing care of the programs programatically, so you can skip the multifule and just work with free asp upload.
You'll have to make your own Flash object or something to accomplish this, the basic HTML/ASP.Net controls won't let you do what you're looking for.
This will require creating some kind of an active or installable control. In order to get around the security hole of doing this, you're ultimately going to have to be able to execute code on the machine to select and upload the file.
And at that point, you're platform specific, so...
I would strongly suggest that instead of trying to have a web site automatically upload files for you, that you make a WinForms utility to accomplish this task and upload the files wherever you need, communicate with the web site over web services, etc.
This is a security restriction, you cant script the file selection of an upload box as it would allow hackers to write scripts to steal files off your computer.
You could use this silverlight upload utility which is my list of "things to use when I get the chance".
It has a nice UI and supports uploading many files at once. I originally tracked it down doing some research for a photography website that we were quoting for but that project fell through.
Anyway the project can be found here:
http://www.michielpost.nl/Silverlight/MultiFileUploader/
It also has full source code included so even if the control's developers abandon it you still have the choice to edit it yourself.

Resources