FileUpload Control question

For security reason you can not force the user to what you want.

"JoeP" <Jo**@hotmail.comwrote in message
news:ez**************@TK2MSFTNGP05.phx.gbl...

Hi All,

I am using the FileUpload control for the ASPX page. How do you disable
the text box portion of that control, so I can force the user only to pick
up a file via the Browser button, and not to type any file name that does
not exists.

Thanks,

Joe

What kind of security issue are we talking here?

Is there any other way to validate that there is a real file out there?
Otherwise the user just can just type anything in that textbox.

Appreciate any feedback or any other suggestions.

Thanks,

Joe

JoeP,
In ASP.NET 2.0 VS2005
if the user types a full filename that does not exist then your submit
button does not do anything.
if the user types a good filePath Name then at the server level you can
check the name etc.

The File Upload control does not give us the developers the capability to
dynamically change what file to upload.
There is a general security lock on what we can see and do on the client
side.

You can write an ActiveX, JAVAApplet or a SilverLight ( using C# or VB.NET
or others ) to have an upload file that can deal with what you want
including selecting and uploading multiple files at once with multiple
selects.
In this case the client is consenting to allow you to poke around.

"JoeP" <Jo**@hotmail.comwrote in message
news:%2****************@TK2MSFTNGP02.phx.gbl...

What kind of security issue are we talking here?

Is there any other way to validate that there is a real file out there?
Otherwise the user just can just type anything in that textbox.

Appreciate any feedback or any other suggestions.

Thanks,

Joe

OK if the submit does not do anything, is there away to trap that action and
have a message for the user? I have other fields and I can validate them
using RequiredFieldValidator, but that's done in the client side.

Thanks,

Joe

good question,
even if you intercept the submit button event on the client side How would
you know if the file path is valid.

I don't have a good answer.

I hope someone else can give me and you an answer.

What file do you except and what files you don't except.

even if the name is correct and the extension is correct the file might not
have the correct content for the extension given.

Sometimes you just need to accept what can be done and move on.

I am still hoping for an answer myself.

"JoeP" <Jo**@hotmail.comwrote in message
news:eO*************@TK2MSFTNGP06.phx.gbl...

OK if the submit does not do anything, is there away to trap that action
and have a message for the user? I have other fields and I can validate
them using RequiredFieldValidator, but that's done in the client side.

Thanks,

Joe

Thanks for your reply.
I see your point. How would you limit the size of the file to 8MB?

Is that possible via the Web.Config?

re:
!Is that possible via the Web.Config?

In web.config...

<httpRuntime maxRequestLength="8192"/>

....will limit uploads to 8MB in size.

Juan T. Llibre, asp.net MVP
asp.net faq : http://asp.net.do/faq/
foros de asp.net, en español : http://asp.net.do/foros/
======================================
"JoeP" <Jo**@hotmail.comwrote in message news:ef**************@TK2MSFTNGP02.phx.gbl...

Thanks for your reply.
I see your point. How would you limit the size of the file to 8MB?

Is that possible via the Web.Config?

In my case I changed it in my Machine.config
But I think if you put it in web.config then it overrides the one in
machine.

Stolen instruction from http://forums.asp.net/p/1048294/1948278.aspx

One of the great things about .NET, however, is that it usually provides a
way around limitations. You can usually change the default settings that are
in place. To change this size limit, you make some changes in either the
web.config.comments (found in the ASP.NET 2.0 configuration folder at
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONF IG) or your application's
web.config file.

In the web.config.comments file, find a node called <httpRuntimethat looks
like the following:

<httpRuntime
executionTimeout="110"
maxRequestLength="4096"
requestLengthDiskThreshold="80"
useFullyQualifiedRedirectUrl="false"
minFreeThreads="8"
minLocalRequestFreeThreads="4"
appRequestQueueLimit="5000"
enableKernelOutputCache="true"
enableVersionHeader="true"
requireRootedSaveAsPath="true"
enable="true"
shutdownTimeout="90"
delayNotificationTimeout="5"
waitChangeNotification="0"
maxWaitChangeNotification="0"
enableHeaderChecking="true"
sendCacheControlHeader="true"
apartmentThreading="false" />
A lot is going on in this single node, but the setting that takes care of
the size of the files to be uploaded is the maxRequestLength attribute. By
default, this is set to 4096 kilobytes (KB). Simply change this value to
increase the size of the files that you can upload to the server. If you
want to allow 10 megabyte (MB) files to be uploaded to the server, set the
maxRequestLength value to 11264, meaning that the application allows files
that are up to 11000 KB to be uploaded to the server.

Making this change in the web.config.comments file applies this setting to
all the applications that are on the server. If you want to apply this to
only the application you are working with, apply this node to the web.config
file of your application, overriding any setting that is in the
web.config.comments file. Make sure this node resides between the
<system.webnodes in the configuration file.

Another setting involved in the size limitation of files to be uploaded is
the value given to the executionTimeout attribute in the <httpRuntimenode.

The value given the executionTimeout attribute is the number of seconds the
upload is allowed to occur before being shut down by ASP.NET. If you are
going to allow large files to be uploaded to the server, you are also going
to want to increase this value along with the maxRequestLength value.

One negative with increasing the size of a file that can be uploaded is that
there are hackers out there who attack servers by throwing a large number of
requests at them. To guard against this, you can actually decrease the size
of the files that are allowed to be uploaded; otherwise, you may find
hundreds or even thousands of 10 MB requests hitting your server.

"JoeP" <Jo**@hotmail.comwrote in message
news:ef**************@TK2MSFTNGP02.phx.gbl...

Thanks for your reply.
I see your point. How would you limit the size of the file to 8MB?

Is that possible via the Web.Config?

Thanks Juan.

Thanks, IfThenElse<svery usfull info.