|
| Product |
| FileUp |
| Version |
| 2.x, 3.x |
| Title |
| HOWTO: Restrict the Types of Files Uploaded |
| Problem |
There may be times when you want to restrict the type of files that are being uploaded to the server. This is especially important if you want to guard against malicious file types, such as .exe, that may contain viruses.
You can do so by using the ContentType property of SA-FileUp and a Select condition to save only files that are a certain type. As an extra precaution against browsers that do not send sufficient MIME type information, you can check the extensions of the files.
You can also use one of our other Client-Side products, XFile or JFile, to restrict the types of files on the client before the request is sent to the server.
- To identify a file's name and extension, use the Mid() and InstrRev() methods with the UserFilename property.
- To restrict a file by media type, identify the media content of an uploaded file using the ContentType property.
|
| Solution |
You need to do three things to accomplish this:
- Parse out the filename and extension using two handy methods - Mid() and InstrRev(). The combination of these methods and the UserFilename property will get us just the name of the file, not the full path. The variable Fname is used within the response of the Case condition statement.
- Get the media content type of the file uploaded by using the ContentType property. In this example, we restrict all file except Gif and Jpeg files. So we are looking for either "image/pjpeg" or "image/gif" as the media content type. As an extra precaution against browsers that do not send sufficient MIME type information, check the extensions of the files for gif, jpg or jpeg.
- Use a Case condition statement is used to save the correct file and send a successful response. Notice that the variable FName is used to supply the file that was saved. If the file type is incorrect, the file will be deleted and a error response will given.
For Example:
<%
'--- Instantiate the FileUp object
'---
Set upl = Server.CreateObject("SoftArtisans.FileUp")
'--- set the path to the website's image directory
'---
upl.Path = Server.MapPath("Images")
'--- Parses out the file name
'---
FName = Mid(upl.UserFilename, InstrRev(upl.UserFilename, "\") + 1)
'--- Parses out the extension
'---
FExtension = MID(FName,instr(FName,".")+1)
'--- This line parses out the Content type.
'---
FCONT = upl.ContentType
'--- This would equal to
'--- "image/pjpeg"
'--- "image/jpeg"
'--- "image/gif"
'--- "text/plain", etc.
'--- You can then use the Select Case Condition to restrict the file type.
Select Case LCase(FCONT)
Case "image/gif"
upl.Save
Response.Write "<P>"& FName & " has been saved."
Case "image/pjpeg", "image/jpeg"
upl.Save
Response.Write "<P>" & FName & " has been saved."
Case Else
'---
'--- In case the Mime type information sent by the browser
'--- was incorrect, we will check the file extensions
'---
If FExtension = "gif" Then
upl.Save
Response.Write "<P>" & FName & " has been saved."
Else If FExtension = "jpg" OR FExtension = "jpeg" Then
upl.Save
Response.Write "<P>" & FName & " has been saved."
Else
upl.delete
Response.Write "<P>" & "You are restricted to only upload gif and Jpeg files."
Response.End
End If
End Select
%>
You can also use one of our other Client-Side products to restrict the types of files on the client before the request is sent to the server. This will free up server resources by having the entire security restriction take place on the client. These products are XFile (ActiveX Object) and JFile (Applet). FileUp is still used on the server. These products also provide several other advantages over using the just the browser to upload files.
For more information:
Regarding XFile please see:
http://support.softartisans.com/docs/saxfiledocs/default.asp
Regarding JFile:
http://support.softartisans.com/docs/sajfiledocs/default.asp
|
| Created : 12/1/2002 12:00:00 AM (last modified : 9/18/2003 11:18:16 AM) |
|
