Before continuing, it's worth taking a moment to consider some of the limitations of the sample code as shown. Most of these limitations are easily solvable, but it's worth considering both the inherent limitations and the security implications of uploading file data to the server.
The sample code shown previously stores the list of uploaded files in memory only (using a Hashtable)if you're doing this "for real," you'll want to store data about the uploaded files with some sort of persistent mechanism (for example, using a relational database).
The sample code shown previously stores files using the file name as the "unique identifier." This is a pretty simplistic mechanism, and it is prone to conflict if two files are uploaded with the same name. Again, the use of a database and a synthetic primary key may be your best bet.
This is not an inherently transactionally safe operationit's easy to think of situations that might "confuse" the application, such as uploading a new file with the same name as a file that is currently being downloaded.
In general, error handling is limited to dumping an exception to the console. For a production application, you will want to handle all possible error scenarios as gracefully as possible.
Some attempt is made to prohibit uploading potentially "dangerous" file types to the server. It may be more appropriate to store files in a fashion that doesn't preserve the original filenames on a file systemeither by hashing the filenames or perhaps by storing the files in a database. Similarly, you may only want to allow users to upload a certain set of file types and prohibit all others.
It's terribly easy to choke your entire web application with a denial-of-service attack by simply initiating a large number of file uploads. Therefore, you will likely only want to allow users to initiate a file upload after they have authenticated. You may want to adopt a further strategy, such as a flag to only allow an authenticated user to upload a single file at a time, or you might want to use a pool to manage file uploads.
No provision is made to protect file downloads. If a file is uploaded to a directory, anyone who has the URL can download it. If you want to protect the uploaded file in some fashion (for example, requiring a login), you'll need to add a mechanism to "hide" the file and only send it to approved users.
It's a truism that when considering the security of an application, you can't "trust" anything that comes from the client browser. This is doubly true when considering file uploads. When adding file upload capability, make sure you've fully considered the security implications.
