FileUpload Web Server Control Overview
The FileUpload control enables you to provide users with a way to send a file from their computer to the server.
This topic contains:
The FileUpload control enables users to upload pictures, text files, or other files. The FileUpload control displays a text box where users can type the name of a file that they want to upload to the server. The control also displays a Browse button that displays a file-navigation dialog box. (The dialog box that is displayed depends on the operating system of the user's computer.) For security reasons, you cannot pre-load the name of a file into the FileUpload control.
Handling Uploaded Files
When users have selected a file to upload and then submitted the page, the file is uploaded as part of the request. The file is cached in its entirety in server memory. When the file has finished uploading, your page code runs.
You can access the uploaded file in the following ways:
As a stream exposed in the FileContent property.
As an object of type HttpPostedFile in the PostedFile property. The PostedFile object exposes properties, such as the ContentType and ContentLength properties, that provide you with information about the uploaded file.
When your code runs, you can examine the characteristics of the file, such as its name, size, and MIME type, and you can then save it. You can work with the file as a byte array or stream. Alternatively, both the FileUpload control and the HttpPostedFile object support a SaveAs method that writes the file to disk.
There is no inherent limitation on where you can save uploaded files. However, to save the file, the ASP.NET process must have permission to create files in the location that you specify. In addition, your application might be configured to require an absolute path (not a relative path) for saving the file, which is a security measure. If the requireRootedSaveAsPath attribute of the httpRuntime configuration element is set to true (which is the default), you must provide an absolute path when saving the uploaded file.
You can create an absolute path based on the root of your application by using the MapPath method of the HttpServerUtility class and passing to the method the tilde (~) operator, which represents the application root folder. For more information, see ASP.NET Web Site Paths.
The maximum size file that can be uploaded depends on the value of the MaxRequestLength configuration setting. If users attempt to upload a file that is larger than the maximum allowed, the upload fails.
Using the FileUpload Control in Partial-Page Updates
The FileUpload control is designed to be used only in postback scenarios and not in asynchronous postback scenarios during partial-page rendering. When you use a FileUpload control inside an UpdatePanel control, the file must be uploaded by using a control that is a PostBackTrigger object for the panel. UpdatePanel controls are used to update selected regions of a page instead of updating the whole page with a postback. For more information, see UpdatePanel Control Overview and Partial-Page Rendering Overview.
Security and the FileUpload Control
By using the FileUpload control, users can upload potentially malicious files, including script files and executable files. You cannot limit in advance the files that a user can upload. If you want to limit the types of files that a user can upload, you must examine the file characteristics after the file has been uploaded, such as the file's file name extension and the value of the file's ContentType property
Before the page is submitted, you can use client script to examine the file name that a user has typed in the text box. However, although performing a client-side check of the file name can be useful, it does not guarantee that users cannot upload an unsafe file type, such as an executable file.