input type file alternative and file upload best practice
Posted
by Ioxp
on Stack Overflow
See other posts from Stack Overflow
or by Ioxp
Published on 2010-03-11T21:10:33Z
Indexed on
2010/03/11
21:14 UTC
Read the original article
Hit count: 663
Background: I am working on a file upload page that will extend an existing web portal. This page will allow for an end user to upload files from there local computer to our network (the files will not be stored on the web server, rather a remote workstation). The end user will have the ability to view the data that they have submitted by hyper-linking the files that have been uploaded on this page.
Question 1: Is there an ASP.net alternative to the <input type="file" runat="server" />
HTML tag? The reason for asking is i would rather use an image button and display the file as an asp label on the portal to keep with a consistent style.
Question 2: So i understand that giving the end user the ability to upload files to the server and then turn around to show them the data that they posted poses a security threat. So far i am using the id.PostedFile.ContentType and the file extension to reject the data if its not an accepted format (i.e. "text/plain", "application/pdf", "application/vnd.ms-excel", or "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet"). Also the location where the files are uploaded to has a sufficient amount of virus and malware protection and this is not a concern. What, from the C# point of view, additional steps should i take to ensure that the end user cant take advantage and compromise the system in regards to allowing them to upload files?
© Stack Overflow or respective owner