Limit file upload to .doc, docx, and .pdf


I was wondering if there is a method where i can check to see if the file that a user is uploading is either one of the following formats:


I currently upload like so:

                    if (FileUpload1.HasFile)
                        string fn = System.IO.Path.GetFileName(FileUpload1.PostedFile.FileName);
                        string SaveLocation = Server.MapPath("files") + "\\\\" + fn;
                        catch (Exception ex)
                            Response.Write("Error: " + ex.Message);

Now is there a way i can check to see if the files are of the above formats and limit the users to only be able to upload files of this format?


Something like this maybe:

HttpPostedFileBase myFile = uploadedFile;
if (System.IO.Path.GetExtension(myFile.FileName).ToLower() != ".pdf")
// do stuff here

not sure how to do this in but you could have an table in the database called user_permissions

you would then have the user_id, filetype and any additional requirments in the table.
the filetype value would be in a form of a long value for example [img],[pdf],[docx].

When the user uploads a file, a query is performed matching the extention on the filename joining to the permissions table.
It would then look for that extention within that value in a form of a like command. If they are matched then the file is accepted.
Then insert a new record in the upload table recording the time, filename, type and user id to say this file was uploaded to the database.

If not true then give error message else allow upload.

Thats a really quick explanation but hope it helps…


I have just tried imaginekitty’s method and it worked…

Thanks for your responses…


this should do
HttpPostedFile myPostedFile=FileUpload1.PostedFile;
if(myPostedFile!=null && myPostedFile.ContentLength>0)
FileInfo finfo = new FileInfo(myPostedFile.FileName);
string fileExtension = finfo.Extension.ToLower();
if (fileExtension != “.doc” && fileExtension != “.docx” && fileExtension != “.pdf”)

First rule of file uploads: do not trust client input. This includes the file name, and the submitted mime-type. Only real way to check is to upload file, open the byte and check the headers are correct. Anything else is pretty trivially forgable.

That said, look at the upload’s mime-type, not the extension. Helps cover stuff like Mac users who don’t use extensions.

Is that an OS 9 thing? I miss the Mac days but mine is broken. :sick:

thanks for the useful information. I did not know macs do not use extentions.

I think they do with the advent of OS X, but don’t take my word for it, I’m not 100% positive on that. OS 7-9 had some interesting features; extensions didn’t matter, you could change/delete the extensions and the correct app would still open with a double click; aliases would point to files even after you move the original.

I have never had a problem limiting macs with file extensions. All the macs here use file extensions? Snow Leoperd? Is it maybe a setting type thing or what?

Its more of [whatever they call the mac disk storage format] thing than a mac OS thing per se, but each file is, from a windows perspective, two files–actual data then metadata. So, the metadata declares the file type whereas windows tries to infer it from the extension.

Most modern mac programs are cross platform and tend to use extensions so when a mac user emails a PC user a file it works. But that doesn’t necessarily happen all the time.

Ah ok, I see. Yes, i know the metadata part. It makes sense. It is just strange that it doesn’t use file extensions by default as the accepted norm. Oh well, guess it is one of those things when dealing with different platforms.

Thanks for the info