Home     Products      Support      Corporate     Sign In 
Support Knowledge Base, Article 265
Product
FileUp
Version
2.x, 3.x
Title
HOWTO: Restrict the Types of Files Uploaded
Problem
There may be times when you want to restrict the type of files that are being uploaded to the server. This is especially important if you want to guard against malicious file types, such as .exe, that may contain viruses.

You can do so by using the ContentType property of SA-FileUp and a Select condition to save only files that are a certain type. As an extra precaution against browsers that do not send sufficient MIME type information, you can check the extensions of the files.

You can also use one of our other Client-Side products, XFile or JFile, to restrict the types of files on the client before the request is sent to the server.
  • To identify a file's name and extension, use the Mid() and InstrRev() methods with the UserFilename property.
  • To restrict a file by media type, identify the media content of an uploaded file using the ContentType property.
Solution
You need to do three things to accomplish this:
  1. Parse out the filename and extension using two handy methods - Mid() and InstrRev(). The combination of these methods and the UserFilename property will get us just the name of the file, not the full path. The variable Fname is used within the response of the Case condition statement.

  2. Get the media content type of the file uploaded by using the ContentType property. In this example, we restrict all file except Gif and Jpeg files. So we are looking for either "image/pjpeg" or "image/gif" as the media content type. As an extra precaution against browsers that do not send sufficient MIME type information, check the extensions of the files for gif, jpg or jpeg.

  3. Use a Case condition statement is used to save the correct file and send a successful response. Notice that the variable FName is used to supply the file that was saved. If the file type is incorrect, the file will be deleted and a error response will given.

    For Example:
    
    <%
    
    '--- Instantiate the FileUp object
    '--- 
    Set upl = Server.CreateObject("SoftArtisans.FileUp") 
    
    '--- set the path to the website's image directory
    '--- 
    upl.Path = Server.MapPath("Images")
    
    '--- Parses out the file name
    '---
    FName = Mid(upl.UserFilename, InstrRev(upl.UserFilename, "\") + 1)
    
    '--- Parses out the extension
    '--- 
    FExtension = MID(FName,instr(FName,".")+1)
    
    '--- This line parses out the Content type.
    '--- 
    FCONT = upl.ContentType 
    
    '--- This would equal to
    '--- "image/pjpeg"
    '--- "image/jpeg"
    '--- "image/gif"
    '--- "text/plain", etc.
    
    '--- You can then use the Select Case Condition to restrict the file type.
    	Select Case LCase(FCONT) 
    	Case "image/gif"
    		upl.Save 
    		Response.Write "<P>"& FName & " has been saved."
    	
    	Case "image/pjpeg", "image/jpeg"
    		upl.Save 
    		Response.Write "<P>" & FName & " has been saved."
    	
    	Case Else
            '---
            '--- In case the Mime type information sent by the browser
            '--- was incorrect, we will check the file extensions
            '---
                    If FExtension = "gif" Then
                         upl.Save 
    		     Response.Write "<P>" & FName & " has been saved."
    
                    Else If FExtension = "jpg" OR FExtension = "jpeg" Then
                         upl.Save 
    	             Response.Write "<P>" & FName & " has been saved."
    
                    Else
    		     upl.delete
    		     Response.Write  "<P>" & "You are restricted to only upload gif and Jpeg files."
    		     Response.End 
    
                    End If
    	End Select
    %>
    
    
    You can also use one of our other Client-Side products to restrict the types of files on the client before the request is sent to the server. This will free up server resources by having the entire security restriction take place on the client. These products are XFile (ActiveX Object) and JFile (Applet). FileUp is still used on the server. These products also provide several other advantages over using the just the browser to upload files.

    For more information:
          Regarding XFile please see:
          http://support.softartisans.com/docs/saxfiledocs/default.asp

          Regarding JFile:
          http://support.softartisans.com/docs/sajfiledocs/default.asp
Created : 12/1/2002 12:00:00 AM (last modified : 9/18/2003 11:18:16 AM)
Rate this article!
 
Comments