RSS Feed (xml)Because ASP.NET executes on the server, there is no way to access any of the resources on the client computer, including files. However, you can use the System.Web.UI.HtmlControls.HtmlInputFile control to allow a user to upload a file. This control renders itself as the HTML <input type="file"> element, which is displayed as a Browse button and a text box that contains a filename. The user clicks the Browse button and chooses a file. This step takes place automatically and doesn't require any custom code. The user must then click another button (which you must create) to start the actual upload process.
Before you can create a working file upload page, you need to take these steps:
You must set the encoding type of the form to multipart/form-data. To make this change, find the <form> tag in your .aspx file and modify it as shown here:
<form id="Form1" enctype="multipart/form-data" runat="server">
You need to add the HtmlInputFile control. In Microsoft Visual Studio .NET, you'll find this control under the HTML tab of the Toolbox, with the name File Field. Once you've added this control, you must right-click it and choose Run As Server Control, which creates the required <input type="file" runat="server"> tag.
You must add another button that actually starts the file transfer using the specified file by calling the HtmlInputFile.PostedFile.SaveAs method.
Figure 7.3 shows a sample page that allows file uploading. It includes an HtmlInputFile control and uses the following code:
using System;
using System.Web;
using System.Web.UI.WebControls;
using System.IO;
public class UploadPage : System.Web.UI.Page {
protected System.Web.UI.WebControls.Label lblInfo;
protected System.Web.UI.WebControls.Button cmdUpload;
protected System.Web.UI.HtmlControls.HtmlInputFile FileInput;
// (Designer code omitted.)
private void cmdUpload_Click(object sender, System.EventArgs e) {
if (FileInput.PostedFile.FileName == "") {
// No file was submitted.
lblInfo.Text = "No file specified.";
}else {
try {
if (FileInput.PostedFile.ContentLength > 1048576) {
// Forbid files larger than one megabyte.
lblInfo.Text = "File is too large.";
}else {
// The saved file will retain its original filename.
string fileName =
Path.GetFileName(FileInput.PostedFile.FileName);
// The ASP.NET process must have rights for the location
// where it is attempting to save the file, or an
// "access denied" exception will occur.
FileInput.PostedFile.SaveAs(fileName);
lblInfo.Text = "File " + fileName + " uploaded.";
}
}catch (Exception err) {
lblInfo.Text = err.Message;
}
}
}
}
The code can check various properties of the submitted file, including its size, before saving it, which allows you to prevent a denial of service attack that tricks an ASP.NET application into filling the hard disk with large files. However, this code doesn't prevent a user from submitting the file in the first place, which can still slow down the server and be used to launch a different type of denial of service attack-one that works by tying up all free ASP.NET worker threads. To prevent this type of attack, use the <httpruntime> tag in the Web.config file to specify a maximum file size. Specify the maximum, in kilobytes, using the maxRequestLength attribute.
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.web>
<httpRuntime maxRequestLength="4096" />
<!-- Other settings omitted. -->
</system.web>
</configuration>
If you don't specify a maximum length, the default value of 4096 (4 megabytes) will apply. If the user attempts to submit a file that's too large, an exception will be thrown immediately when the page is posted back.
No comments:
Post a Comment