Major problem with FileUpload if bad filename

[David Thielen]

Hi;

If the FileUpload has a bad filename, the code behind does not get called on
a submit but there is no error message. How can I get an error message?

 

[Steven Cheng[MSFT]]

Hi Dave,

As for the Upload control , when we manually modify the filename/path to an
invalid value, the file stream won't be submited, therefore the server-side
won't detect any uploaded file.
You can use the FileUpload.HasFile to check whether there is file stream
correctly uploaded.

regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[D.P.]

I've got a similar problem and looked a bit more into it. I'm using a
FileUpload control in combination with a submit button to actually initiate
the upload.

If I manually type a filename without a path, e.g. "Non-existing.file" then
clicking my submit button results in no postback at all. Therefor I dont have
the chance to give any feedback to the user, unless I implement a
RegexValidator as well.

If I select a zero length file, pressing my submit button does result in a
postback, but the HasFile property states "false". Returning a message that
no file has been selected would be a bit awkward in this case, and I'm sure a
user won't understand that at all.

I hope someone could enlighten me as how to deal with those two situations!

 

[David Thielen]

But the code behind is not called - how do I get notified?

 

[Steven Cheng[MSFT]]

Hi Dave,

Do you mean check it at client-side or server-side, for client-side, we can
get the value of the input file field, but it's not possible to know
whehter the file actually exists. At server-side, when postback, at least
the Page's Load event will always fires, you can check the file upload
control there.

Regards,

Steven Cheng
Microsoft Online Community Support


==================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

==================================================


This posting is provided "AS IS" with no warranties, and confers no rights.



Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[David Thielen]

Hi;

Yes server side. But that is the problem - the Page_Load is not called and
there is no error message if FileUpload is given a bad filename.

 

[Steven Cheng[MSFT]]

What's the bad file you mean? If the file is a real file which exists at
client-side, the upload request should contain the uploaded file stream. I
think this can help confirm whether the filename is not a wrong one.

Regards,

Steven Cheng
Microsoft Online Community Support


==================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

==================================================


This posting is provided "AS IS" with no warranties, and confers no rights.



Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[D.P.]

As I see it this problem occurs when the file is not a real file. For then,
there is no feedback at all. Apparently the control validates the existence
of the file client side, but gives no feedback if the file doesn't exist. If
you at least enter a full path to a non-existing file, the upload request is
executed and the HasFile property will be false, which is correct behaviour
in my opinion. But, if you enter just a filename, without fully qualified
path, then you don't get to the server so there is no way to give feedback to
the user.

I solved this by using a RegexValidator on my FileUpload control, in
combination with a required field validator. The regex I used is "borrowed"
from http://regexlib.com/REDetails.aspx?regexp_id=800. I adjusted it a little
bit, to make sure it requires a filename. It's not perfect but it will do
(I'm in for better suggestions though). The Regex I used is:

^((?:[a-zA-Z]|(?:\\{2}\w[-\w]*)\$?)\\(?!\.)((??![\\/:*?<>"|])(?)[\x20-\x7E])+\\(?!\.))*((???![\\/:*?<>"|])(?![
..]$)[\x20-\x7E])+)\.((??![\\/:*?<>"|])(?![ .]$)[\x20-\x7E])+))$

Hope it helps anyone in the same situation

 

[Steven Cheng[MSFT]]

That's cool!

Thanks for your input.

Regards,

Steven Cheng
Microsoft Online Community Support


==================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

==================================================


This posting is provided "AS IS" with no warranties, and confers no rights.



Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[Bob]

Following on from this, if the filename is invalid, it doesnt postback
which means it wont perform any of my buttons actions! Anyway round
this? Firefox seems to allow invalid filenames to be postedback but
Internet Explorer doesnt!

 

[David Thielen]

I would like to know if there is a solution too. The Regex validator solution
is not perfect. (A lot better than nothing - but not perfect.)

 

[Steven Cheng[MSFT]]

Thanks for the followup.

So far I haven't found any better way(other than use client-script or regex
to validate it) to prevent invalid file name if the client-user manually
input the filename. However, at server-side, we can just check the uploaded
filestream to see whether the client user has uploaded a valid file.

Regards,

Steven Cheng
Microsoft Online Community Support


==================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

==================================================


This posting is provided "AS IS" with no warranties, and confers no rights.



Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[David Thielen]

Hello;

Please read the thread again. The problem is if you enter a filename that
does not exist, the server side is never called.

 

[Steven Cheng[MSFT]]

Hi Dave,

Actually, it is only when we input an invalid path will the page be
prevented from being postback. e.g:

"C\FILENAME.EXT", this an invalid path. however, if the path is valid,
but the file does not exists, the page will still be posted back, and there
is no uploaded file stream. e.g:

"C:\nonexisting_filename.ext"

Anyway, through the pure html element, we can not force the user to type
(or even detect) a filepath which really point to an existing file because
we can not check the client side filesystem.

Thanks & Regards,

Steven Cheng
Microsoft Online Community Support


==================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

==================================================


This posting is provided "AS IS" with no warranties, and confers no rights.



Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[David Thielen]

Sorry, yes - invalid path.

So what should I do in that case sense the code-behind is never called?

 

[Piotrek]

Hi all.

By the way: did you try to retrieve full path to uploaded file when
using Mozilla Firefox? I used FileName property of HttpPostedFile and
it stores only file name (under IE it stores full path).

Does anybody know how to retrieve full path in Firefox?

Piotrek

 

[Bob]

Yes, it is prevented from being posted back if the file path is
invalid, which means if we have other buttons on the page, these will
not be executed. This problem only happens for IE but not for Firefox :S

 

[Steven Cheng[MSFT]]

Hi Dave,

for Invalid path, we haven't any good means since the page is event not
posted back. So far the best means I can get is use client-side script to
alert user a message (indicate the current input path is invalid). the
scritp code and be put in the <input type="file" > element's "onchange"
client-side event, we still need to use some script to validate the
path(such as using regex).

Thanks & Regards,

Steven Cheng
Microsoft Online Community Support


==================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

==================================================


This posting is provided "AS IS" with no warranties, and confers no rights.



Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[David Thielen]

Ok - it's broken. (If javascript is tuned off on the client you are totally
hosed.)

Does anyone know of a file upload control that works?

 

[Bob]

And if you have another button on the page which performs some logic
server side, your more screwed!