Limiting File Upload Sizes with ASP.NET

Sbanerjee
Posted by in ASP.NET category on for Intermediate level | Views : 14818 red flag
Rating: 3 out of 5  
 1 vote(s)

This example, can be taken aas code snippet, gives idea how to restrict user to upload a file/image within upload limit.
Introduction

User can upload images of any arbitrary size. This is not good for either network traffic or database size, and raises the possibility of a nasty denial of service attack. So, the next step is to limit the uploaded file size to a reasonable value. The customer chose 128K as their maximum image size.

Your first thought might be to check the ContentLength property of the uploaded file to see if it's within the expected size, and to bail out of the procedure if it's too large. Unfortunately, this is only half of a solution. While that check would prevent the file from getting to the SQL Server database, it still requires the entire file to be uploaded first, potentially clogging the network. Fortunately, ASP.NET provides a better solution

It turns out that you can add a tag to the Web.Config file to specify a maximum size for uploaded files, as follows:

 

<?xml version="1.0" encoding="utf-8" ?>

<configuration>

  <system.web>

        <httpRuntime

          maxRequestLength="128"/>

          ...

The maxRequestLength attribute of the httpRuntime tag specifies, in KB, the largest HTTP request that the application will accept. The default is 4096 KB, which is a little large for most applications. Be careful about setting this too low, though, as it applies to every request, not just uploaded files. If you're moving a lot of data around in ViewState, for example, you could run afoul of a too-low setting.

With this change to the Web.Config file, large files won't even be accepted by the server. But the user experience could use some work. What happens if the user tries to upload a large image with this setting in place:

"PAGE CANNOT BE DISPLAYED ERROR MESSAGE"

ASP.NET rejects the request in the rudest way possible, telling the client that there's no such page.

Telling the User What Happened

To get a better error message across to the user, you need to turn to another corner of the application. If your first impulse is to put a Try/Catch block in the page load to catch the error, think again: ASP.NET doesn't load the page at all in this situation. You have to move up the processing chain to the error event in the global.asax.vb file, which is called for every error in the application.

The strategy I settled on was to catch the error, and then redirect the user back to the original page with an error message. That way, they'll get a chance to try again with a different file. To start the process, I added some code to the global.asax.vb file:

 

Sub Application_Error(ByVal sender As Object,  ByVal e As EventArgs)

    ' Fires when an error occurs

    ' Check to see whether we came

    ' from the upload form

    If Path.GetFileName(Request.Path) = "UploadForm.aspx" Then

        ' Get the error details

        Dim appException As System.Exception = Server.GetLastError()

        Dim checkException As HttpException = CType(appException, HttpException)

        ' Verify the expected error

        If checkException.GetHttpCode = 400 And checkException.ErrorCode = -2147467259 Then

            ' Error 400 = bad request, user

            ' tried to upload a file that's too large

            Session("ImageTooLarge") = True

            Server.ClearError()

            ' Go to the original target page

            Response.Redirect("UploadForm.aspx")

        End If

    End If

    ' For other errors, just accept the default processing

End Sub

The next step was to add a label control to the original upload form. The control's name is lblTooLarge, its text is a warning that the image is too large, and its Visible property is set to False. Then I modified the Page_Load procedure of the upload form:

 

Private Sub Page_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load

    If Not IsPostBack Then

        ' Check to see whether we were redirected

        ' from the error page

        If Session("ImageTooLarge") = True Then

            lblTooLarge.Visible = True

            Exit Sub

        End If

    Else

        ' Get the uploaded data

        Dim upfile As HttpPostedFile = UploadFile.PostedFile

' Remaining code unchanged ...

   End If

End Sub

If the user tries to upload a file, the error gets caught in the global.asax file. At that point, the code retrieves the error details and verifies that this is the error that happened; I don't assume that it's the only possible error in the application! If it is, the code sets a flag in the session state and hands control back to the upload form. The upload form checks for the flag and makes the label visible so that the user will know what they did wrong.

 

Formatting edited by Webmaster on June 09, 2008 11.07 PM IST.

Page copy protected against web site content infringement by Copyscape

About the Author

Sbanerjee
Full Name: Soumen Banerjee
Member Level: Starter
Member Status: Member
Member Since: 6/9/2008 6:54:20 AM
Country: India

http://www.ethicaldeveloper.blogspot.com/
Learning has no end, keep spreading knowledge as it increases self knowledge. Cheers

Login to vote for this post.

Comments or Responses

Login to post response

Comment using Facebook(Author doesn't get notification)