Uploading a File

A less common but important functionality to offer is a way for the user to upload a file to the server. Often, this task is the foundation upon which Web applications are built. If the user is not acting on server data from a back-end database, he might be working on having the server act on files uploaded by the server. The ASP.NET control for enabling this functionality is from the set of HTML controls. The HtmlInputFile control requires that we modify the form element so that the browser will be able to submit the file.

The first step is to consider the impact on the server of allowing users to upload files. This is the kind of functionality that is quickly discovered by inquisitive anonymous users and can sometimes lead to a barrage of large files or file upload requests that don’t seem to make progress. Consider restricting access to the Web root in which file upload occurs only for authenticated users. Chapter 8 discusses in detail the various types of authentication supported by ASP.NET. By denying anonymous users access to the site, you can eliminate big problems. Users seem to behave better when their actions can be traced back to them, and with the logging capabilities of IIS, you can easily ascertain the source of inappropriate uploads.

The second step is to configure the application for the maximum supported file size for upload. Consider the amount of storage that is allocated for housing the uploaded files. The httpRuntime element contains a maxRequestLength attribute that corresponds to the number of kilobytes a user can upload or post before receiving an error. The default is 4096 KB. Code Listing 2-19 is a web.config file that limits the request length to 2 MB. If the size of the uploaded files is assured to be significantly smaller, consider reducing this from the default 4 MB. If the limit will increase, seriously consider the impact on performance if you were to buffer the upload files and write them to disk.

Code Listing 2-19: RequestLengthWeb.config

 <configuration>
    <system.web>
        <httpRuntime maxRequestLength="2048" />
    </system.web>
</configuration> 

The third and final step in preparing to handle the uploading of files is to configure a location with permissions in which the ASP.NET worker process can write files. (In Chapter 8, you’ll look at security mechanisms and user impersonation and also examine directory write privileges and identity.) Isolate the save location from other applications and operating system files to guard against overwriting an existing file.

Code Listing 2-20 demonstrates setting the form element’s enctype attribute to the correct type and includes adding the HTML server control to enable file uploads, via the runat attribute. The code that saves the file from memory to disk simply gets the current time in milliseconds, but note that this doesn’t scale. As unlikely as it might seem, you can’t safely assume that two users couldn’t cause this code to execute simultaneously.

Code Listing 2-20: UploadFile.aspx

 <script language="C#" runat="server">
protected void PhotoSubmit(object o, EventArgs e) {
    if(thePhoto.PostedFile != null) {
        try {
            // does NOT handle multiple users uploading at 
            // exactly the same time
            string filepath 
                = "C:\\temp\\" + DateTime.Now.Ticks.ToString();
            thePhoto.PostedFile.SaveAs(filepath);
            status.Text = "File saved as " + filepath;
            
        }
        catch {
            status.Text = "An Error occurred processing the file.";
            status.Text += " Please try again.";
        }
    }
}
</script>
<form runat="server" enctype="multipart/form-data">
    Please select an image to submit: 
    <input  type="file" runat="server"><br />
    <input type="button" runat="server" value="Proceed" 
        OnServerClick="PhotoSubmit" />
    <asp:label runat="server"  />
</form>