This is just for beginners!, If we write code for file upload in web app we must follow few things, for example file size, type of file and best to restrict file types. Please check in detail with below points.
File size:-
We must check with file size. Otherwise some users may full you hard disk by uploading big size files. So, it is best to restrict the size of file.
one example:- If in you web site your given option for upload profile image. So, user can upload (JPG,PNG, GIF ..) file for his profile image. He can upload big size image which are more than 3MB and more. For small profile image he upload 3 MB file..!, of course we can reduce the size in our code by reducing file size to (100×100 or 70×60 or….).
Deny executable file type(no .exe) :-
It is best to deny executable file upload. Because Exe file may have virus, that may affect your server or your client system! So, it is best to deny those file uploads.
Find file mime type* :-
One important thing we need to remember is it is best to know mimetype, because in our site we have given option to upload any type of file (aspx, ashx, php, jsp …). And we have given direct access to download folder. They hacker may attack your server. Let me tell with example..
I created one simple website to upload files and download those files. So, user uploaded file (Test.txt) will be stored in folder called “Downloads”. Then if the user want to download that file he just browse the path for example http://localhost/simplewebsite/downloads/test.txt. It will display the text content. If the use uploaded ASPX file in ASP.NET web site or PHP file in PHP web site. Then browse that file, it will executes the inside code (http://localhost/simplewebsite/downloads/hack-delete-file.php). Inside code the user wrote some code to delete the files of sites? . So, it is best to find mimetype and if those are text files then add .txt at the end.
Best restrict file types :- Restrict the file type if you don’t want to allow the use to upload more type of files. For example if the use want to upload file to is profile image then allow only image type files. Don’t allow them to upload other type of files (other than jpg, gif, bmp, png and …).
Validate in Client side :-
Validate in client side to get rich internet experience. Checking file types and showing alert message to user!
Verify in server side* :- Very important to verify in server side, checking file type again in server side and file size.. Because sometimes JavaScript my ignored(escaped) in client side validation.
Remember those thing if your creating own website. Mostly all CMS systems (Kentico CMS, WordPress and ..) are look those things by default.
I hope this is helpful for beginners!
Enjoy while coding..!
Thanks,
Naga Harish.