Asp.net file upload control extension

Many times, we are required to upload a file with strongly-typed View and also, apply validation on uploading file using data annotation validators. In this article, I would like to share how we can upload a file and validate that file. The upload control in MVC checks the file extension as well as the limitation of file size. This validates the control before post back to Server side and shows the warning message to end-user using JavaScript.

Step 2. The first one is used to show warning message to the end-user if any fault happens during upload of file by the user. It serves as the base class for classes that provide access to individual files uploaded by client. Then, I mentioned some supported extensions. You can add any extension. Here, GetExtension method is used to get the extension of uploaded file that is file.

FileName From the path of the system. If file. If all conditions are satisfied without any warning messages, then the successful message will come. If any other warning and validation fail then the catch block will show warning message. One for [HttpGet] and another for [HttpPost] attributes. Use this property to access the contents of the file as bytes. For example, you can use the Stream object that is returned by the FileContent property to read the contents of the file as bytes and store them in a byte array.

Alternatively, you can use the FileBytes property to retrieve all the bytes in the file. You can use this property to access additional properties on the file. The ContentLength property gets the length of the file.

However, the same functionality is provided by the FileName property, the FileContent property, and the SaveAs method. The FileUpload control does not automatically save a file to the server after the user selects the file to upload. You must explicitly provide a control or mechanism to allow the user to submit the specified file.

For example, you can provide a button that the user clicks to upload the file. The code that you write to save the specified file should call the SaveAs method, which saves the contents of a file to a specified path on the server. Typically, the SaveAs method is called in an event-handling method for an event that raises a post back to the server. For example, if you provide a button to submit a file, you could include the code to save the file inside the event-handling method for the click event.

Before calling the SaveAs method to save the file to the server, use the HasFile property to verify that the FileUpload control contains a file.

If the HasFile returns true , call the SaveAs method. If it returns false , display a message to the user indicating that the control does not contain a file.

Do not check the PostedFile property to determine whether a file to upload exists because, by default, this property contains 0 bytes. As a result, even when the FileUpload control is blank, the PostedFile property returns a non-null value.

When you call the SaveAs method, you must specify the full path of the directory in which to save the uploaded file. If you do not explicitly specify a path in your application code, an exception is thrown when a user attempts to upload a file. This behavior helps keep the files on the server secure by preventing users from being able to write to arbitrary locations in your application's directory structure, as well as preventing access to sensitive root directories.

The SaveAs method writes the uploaded file to the specified directory. Therefore, the ASP. NET application must have write access to the directory on the server. There are two ways that the application can get write access. You can explicitly grant write access to the account under which the application is running, in the directory in which the uploaded files will be saved. Alternatively, you can increase the level of trust that is granted to the ASP. NET application. To get write access to the executing directory for the application, the application must be granted the AspNetHostingPermission object with the trust level set to the AspNetHostingPermissionLevel.

Medium value. Increasing the level of trust increases the application's access to resources on the server. Note that this is not a secure approach, because a malicious user who gains control of your application will also be able to run under this higher level of trust.

It is a best practice to run an ASP. NET application in the context of a user with the minimum privileges that are required for the application to run. For more information about security in ASP. One way to guard against denial of service attacks is to limit the size of the files that can be uploaded by using the FileUpload control.

You should set a size limit that is appropriate for the types of files that you expect to be uploaded. The default size limit is kilobytes KB , or 4 megabytes MB. You can allow larger files to be uploaded by setting the maxRequestLength attribute of the httpRuntime element.

To increase the maximum allowable file size for the entire application, set the maxRequestLength attribute in the Web. To increase the maximum allowable file size for a specified page, set the maxRequestLength attribute inside the location element in Web. For an example, see location Element ASP. NET Settings Schema. If your users encounter this error message, increase the value of the memoryLimit attribute in the processModel of element the Web.

The memoryLimit attribute specifies the maximum amount of memory that a worker process can use. If the worker process exceeds the memoryLimit amount, a new process is created to replace it, and all current requests are reassigned to the new process.

To control whether the file to upload is temporarily stored in memory or on the server while the request is being processed, set the requestLengthDiskThreshold attribute of the httpRuntime element.

This attribute enables you to manage the size of the input stream buffer. The default is bytes. The value that you specify should not exceed the value that you specify for the maxRequestLength attribute. The FileUpload control is designed to be used only in postback scenarios and not in asynchronous postback scenarios during partial-page rendering.

When you use a FileUpload control inside an UpdatePanel control, the file must be uploaded by using a control that is a PostBackTrigger object for the panel. UpdatePanel controls are used to update selected regions of a page instead of updating the whole page with a postback.

Initializes a new instance of the FileUpload class. Gets or sets the application-relative virtual directory of the Page or UserControl object that contains this control. Gets the collection of arbitrary attributes for rendering only that do not correspond to properties on the control.

Gets or sets the algorithm that is used to generate the value of the ClientID property. Gets a character value representing the separator character used in the ClientID property. Gets the HttpContext object associated with the server control for the current Web request. Gets a ControlCollection object that represents the child controls for a specified server control in the UI hierarchy. Gets a value indicating whether a Style object has been created for the ControlStyle property.

This property is primarily used by control developers. Gets a reference to the naming container if the naming container implements IDataItemContainer. Gets a reference to the naming container if the naming container implements IDataKeysControl. Gets or sets a value indicating whether the server control persists its view state, and the view state of any child controls it contains, to the requesting client.

Gets an array of the bytes in a file that is specified by using a FileUpload control. Gets a Stream object that points to a file to upload using the FileUpload control.

Gets the name of a file on a client to upload using the FileUpload control. Gets a value indicating whether the current server control's child controls have any saved view-state settings. Gets a value indicating whether the FileUpload control contains a file. Gets a value indicating whether the control participates in loading its view state by ID instead of index. Gets a reference to the server control's naming container, which creates a unique namespace for differentiating between server controls with the same ID property value.

Gets a reference to the Page instance that contains the server control. Gets the underlying HttpPostedFile object for a file that is uploaded by using the FileUpload control.

Gets information about the container that hosts the current control when rendered on a design surface. Gets a collection of text attributes that will be rendered as a style attribute on the outer tag of the Web server control. Gets a value that indicates whether the control should set the disabled attribute of the rendered HTML element to "disabled" when the control's IsEnabled property is false. This property is used primarily by control developers.

Gets the virtual directory of the Page or UserControl that contains the current server control. Gets or sets a value that indicates whether the control checks client input from the browser for potentially dangerous values.

Gets a dictionary of state information that allows you to save and restore the view state of a server control across multiple requests for the same page. Gets a value that indicates whether the StateBag object is case-insensitive. Called after a child control is added to the Controls collection of the Control object. Copies any nonblank elements of the specified style to the Web control, overwriting any existing style elements of the control.

This method is primarily used by control developers. Gathers information about the server control and delivers it to the Trace property to be displayed when tracing is enabled for the page. Sets the cached ClientID value to null. Deletes the view-state and control-state information for all the server control's child controls.

Copies the properties not encapsulated by the Style object from the specified Web server control to the Web server control that this method is called from. This method is used primarily by control developers. Called by the ASP. NET page framework to notify server controls that use composition-based implementation to create any child controls they contain in preparation for posting back or rendering. Creates a new ControlCollection object to hold the child controls both literal and server of the server control.

Creates the style object that is used internally by the WebControl class to implement all style related properties. Binds a data source to the invoked server control and all its child controls with an option to raise the DataBinding event.

Determines whether the server control contains child controls. If it does not, it creates child controls. As you can see above I have an array validFileTypes in which I am storing the extensions of the files that I want to allow the user to upload based. Then it loops through the array and matches that with that of the file selected by the user if it does not match user is prompted to select a valid file.

You can add the extensions of the File types that you want to allow to the array as shown in the animated GIF below. Server Side Validation Checking. GetExtension FileUpload1. FileName ;. Join "," , validFileTypes ;. Length - 1. Exit For. End If. If Not isValidFile Then.

Join "," , validFileTypes. End Sub. As you will notice the Server Side File Extension validation also use the same logic as used in client side validation checking. Here also I am maintaining a string array of valid File extensions and then matching it with the extension of the File that has been uploaded. I have also used a label which will display the error or success messages.

The above code has been tested in the following browsers. This completes the article. You can download the related source code in VB.