Home     Products      Support      Corporate     Sign In 
Support Knowledge Base, Article 318
Product
FileUp
Version
3.4.0.1
Title
How to limit the size of uploads
Problem
The ability to limit the size of uploads is a common need for file transfer applications.

It is important to understand that FileUp resides on the server and the upload is initiated on the client machine, so FileUp cannot access properties of a file until it is is temporarily cached on the server. Therefore, FileUp cannot limit file size before the upload begins. To limit file size before an upload begins, you would need to use a client-side control such as SoftArtisans XFile and JFile.

However, if you are only using FileUp on the server, with the browser as your client, there is good news. FileUp CAN prevent the file from being saved permanently to disk on the server. FileUp can also limit "how much" of a large file it will allow to even be temporarily written to disk.

Solution

This article will discuss several ways to limit the size of an upload from the server using FileUp.

MaxBytes Property The MaxBytes property is useful for preventing files over a certain size from even being temporarily cached on the server. MaxBytes defines the maximum number of bytes that will be written to disk or into a database on a per-file basis. The file is still written to disk (as a temporary cache file at first), but it will be truncated after the byte specified in MaxBytes.

NOTE: MaxBytes does not return an error if it's value is exceeded. If you wish to return an error message to the user and/or to delete the file, you must add your own error handling. Documentation on how to use this property can be found at: http://support.softartisans.com/docs/FileUpV4/prog_ref_fileup_maxbytes.htm

MaxBytesToCancel Property The MaxBytesToCancel property is useful for preventing "Denial of Service" attacks. MaxBytesToCancel defines the maximum number of bytes to be uploaded before FileUp will terminate the connection. The user receives a "page not found" error. There is no way to provide a friendly error message if MaxBytesToCancel is exceeded, because the connection is broken. The value this property is applied to the size of the *entire* upload, rather than individual files. Documentation on how this property should be used can be found at: http://support.softartisans.com/docs/FileUpV4/prog_ref_fileup_maxbytestocancel.htm

Returning an Error Message to the User and Deleting the File Whether or not you use MaxBytes, you will need to add your own error handling to avoid saving a large file, and to return an error message to the user.

In your error handling, if you DO NOT call a Save method (i.e. Save, SaveAs, SaveAsBlob, SaveInVirtual) when a file is over a certain size, the file will not be moved to the final destination and the temporary cache file will be automatically deleted.

Determining if the uploaded file is too large There are a number of ways to accomplish this:

  1. Compare ASP's Request.TotalBytes with FileUp's MaxBytes for single file upload:

    This method is only useful if you are uploading one file, rather than multiple files, because ASP's Request.TotalBytes returns the size of the entire upload, not individual files. 

    <%
set upl = Server.CreateObject("SoftArtisans.FileUp")
'--- Set the cache path and default final destination for the upload
upl.Path = "C:\temp"
'--- Set MaxBytes
upl.MaxBytes = 10000
'--- Check if the total size of the upload is larger than MaxBytes
'--- This will only work if the upload consists of only one file
If Request.TotalBytes > upl.MaxBytes then
  Response.Write "Files must smaller than 10K.  Please try again."
Else 
  upl.Save  
End if
%>

     

  2. For multiple files, check FileUp's TotalBytes property for each file:

    When multiple files are uploaded, setting MaxBytes will truncate any files that are too large (again, MaxBytes is applied on a per-file level). MaxBytes does not have any return value, so how do you find out if MaxBytes was exceeded and return a friendly error message to the user? You cannot use Request.TotalBytes because this only returns the size of the entire upload

    Instead, you will need to loop through the collection and check the size of each uploaded file using FileUp's TotalBytes property. The TotalBytes property of the SAFile object returns the total number of bytes written to disk per file. This property is available as soon as the file is cached (which occurs when FileUp first references any form element). Documentation on how to use this property can be found at: http://support.softartisans.com/docs/FileUpV4/prog_ref_fileup_totalbytes.htm

    So can we just compare TotalBytes of each file to MaxBytes to see if the file is too big, the way we did with Request.TotalBytes? Not exactly. The problem is that if a user uploaded a file equal to or larger than MaxBytes, the file will be truncated, and the value of TotalBytes will equal MaxBytes exactly. If these values are equal, the file was probably too large and was truncated. However, there is always the odd chance that someone actually uploaded a file the exact size of your MaxBytes setting.

    One suggestion is to set the MaxBytes property to a value slightly larger than your actual size limit. MaxBytes will be set for the purpose of truncating large files to conserve server resources, but will not be used in your error handling.

    For example, if you do not want to save files larger than 50000 bytes then you could set MaxBytes to 50001:


    upl.MaxBytes = 50001


    You could then compare the TotalBytes property with your real size limit, and if it is too big, send an HTML response to the user and don't save the file. 

    <%
'--- Define your real size limit
sizeLimit = 5000
'--- Instantiate FileUp
Set upl = Server.CreateObject("SoftArtisans.FileUp")
'--- Set the cache path and default upload location
upl.Path = "C:\temp"
'--- Set MaxBytes to make sure very large files don't get cached to disk
'--- Use a number which is higher than your real size limit
upl.MaxBytes = 5001
'--- Check the size of each cached file from FileUp's form collection
For each item in upl.form
  '--- See if the form element is a file
  If IsObject(upl.form(item)) Then	
    '--- Check if the amount written to disk is greater than your size limit
    If upl.form(item).TotalBytes > sizeLimit then
      '--- Send a message to the user and don't save.  The file will be deleted.
      Response.Write "The file" & upl.form(item).UserFileName & "was too large"
    Else
      '--- If the file is OK, go ahead and save it
      upl.form(item).Save
    End If
  End If
Next 
%>


    Note: We recommend using MaxBytes to preserve your server resources. However, this is not strictly necessary. If you are not concerned about the caching of files which are too large, you can just compare TotalBytes with your defined size limit, and NOT save the file if it is too big. The cached temp file will be deleted.

    Example WITHOUT MaxBytes:
    <%
Set upl = Server.CreateObject("SoftArtisans.FileUp")
'--- Set the cache path and default upload location
upl.Path = "C:\temp"
'--- Check the size of each file in the upload
For each item in upl.form
  '--- See if the form element is a file
  If IsObject(upl.form(item)) Then	
    '--- Check if the file is too big
    If upl.form(item).TotalBytes > 1000 then
      '--- Send a message to the user and don't save.  The file will be deleted.
      Response.Write "The file" & upl.form(item).UserFileName & "was too large"
    Else
      '--- If the file is OK, go ahead and save it
      upl.form(item).Save
    End If
  End If
Next 
%>




    When should I use MaxBytesToCancel? The MaxBytesToCancel property provides an extra safety net in case a malicious user, or users, are attacking your server with huge requests. MaxBytes alone may not provide enough protection. With MaxBytes, FileUp will truncate the file, but will continue reading and discarding the rest of the upload, using your server's resources in the process. It is necessary for FileUp to behave this way if you want to send a message back to the user, due to the Request/Response nature of HTTP. MaxBytesToCancel, on the other hand, will completely break the connection with the user.

    To protect against malicious users, you can set MaxBytesToCancel to a value much higher than you expect your legitimate end-users to upload.

    For example:

    <%

'--- Instantiate FileUp
Set upl = Server.CreateObject("SoftArtisans.FileUp")
'--- Set the cache path and default upload location
upl.Path = "C:\temp"
'--- Set MaxBytes to make sure very large files don't get cached to disk
upl.MaxBytes = 5001
upl.MaxBytesToCancel = 1000000
%>
    Summary
    1. The way to prevent large uploads from being saved and return an error message to the user is to compare the size of the temporarily cached file with your defined size limit, and then NOT save the file if it is too large.
    2. MaxBytes or MaxBytesToCancel, while not necessary to prevent a large upload from being saved to the server, are extremely useful for protecting your server from having its resources even temporarily drained. Set MaxBytes to your practical size limit. Set MaxBytesToCancel to an amount much larger than that, so that your typical user will not experience a terminated connection.
    3. For the greatest control of upload size, including the ability to prevent large uploads before they are posted to the server, use a client-side control. SoftArtisans' client-side controls, XFile and JFile, are available separately, or bundled with FileUp Enterprise Edition, FileUp Professonal Edition and ASPStudio.

      For more information about XFile and JFile, see the XFile product information and JFile product information.



Created : 4/23/2012 4:15:45 PM (last modified : 4/23/2012 4:15:45 PM)
Rate this article!
Comments