FileUpload Web Server Control Overview
Thecontrol allows you to provide users with a way to send a file from their computer to the server. The control is useful for allowing users to upload pictures, text files, or other files.
Prompting for Files to Upload
The FileUpload control displays a text box where users can type the name of a file that they want to upload to the server. The control also displays a Browse button that displays a file-navigation dialog box. (The dialog box that is displayed depends on the operating system of the user's computer.) For security reasons, you cannot pre-load the name of a file into the FileUpload control.
Handling Uploaded Files
When users have selected a file to upload and submitted the page, the file is uploaded as part of the request. The file is cached in its entirety in server memory. When the file has finished uploading, your page code runs.
You can access the uploaded file in the following ways:
As a byte array exposed in the FileUpload control’sproperty.
As a stream exposed in theproperty.
As an object of typein the property. The PostedFile object exposes properties, such as the and properties, which provide you with information about the uploaded file.
When your code runs, you can examine the characteristics of the file, such as its name, size, and MIME type, and you can then save it. You can work with the file as a byte array or stream. Alternatively, both the FileUpload control and the HttpPostedFile object support amethod that writes the file to disk.
There is no inherent limitation on where you can save uploaded files. However, to save the file, the ASP.NET process must have permission to create files in the location that you specify. In addition, your application might be configured to require an absolute path (not a relative path) for saving the file, which is a security measure. If the requireRootedSaveAsPath attribute of theconfiguration element is set to true (which is the default), you must provide an absolute path when saving the uploaded file.
You can create an absolute path based on the root of your application by using themethod of the class and passing to the method the tilde (~) operator, which represents the application root folder. For more information, see .
The maximum size file that can be uploaded depends on the value of theconfiguration setting. If users attempt to upload a file that is larger than the maximum allowed, the upload fails.
Security and the FileUpload Control
Using the FileUpload control, users can upload potentially malicious files, including script files and executable files. You cannot limit in advance the files that a user can upload. If you want to limit the types of files that a user can upload, you must examine the file characteristics (for example, the file name extension and the value of the file's ContentType property) after the file has been uploaded.
Before the page is submitted, you can use client script to examine the file name that a user has typed in the text box. However, while performing a client-side check of the file name can be useful, it does not guarantee that users cannot upload an unsafe file type, such as an executable file.