System.Web 2.0.0.0 System.Web.UI.WebControls.WebControl System.ComponentModel.Designer("DesignerBaseTypeNameSystem.ComponentModel.Design.IDesignerDesignerTypeNameSystem.Web.UI.Design.WebControls.PreviewControlDesigner, System.Design, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a") System.Web.UI.ValidationProperty("FileName") System.Web.UI.ControlValueProperty("FileBytes") In this topic: Introduction Saving Uploaded Files Security Considerations Memory Limitations Using the FileUpload Control with the UpdatePanel Control Declarative Syntax

Introduction

The class displays a text box control and a browse button that enable users to select a file on the client and upload it to the Web server. The user specifies the file to upload by entering the full path of the file on the local computer (for example, C:\MyFiles\TestFile.txt) in the text box of the control. Alternately, the user can select the file by clicking the Browse button, and then locating it in the Choose File dialog box. Use the property to get the name of a file on a client to upload by using the control. The file name that this property returns does not include the path of the file on the client. The property gets a object that points to a file to upload. Use this property to access the contents of the file as bytes. For example, you can use the object that is returned by the property to read the contents of the file as bytes and store them in a byte array. Alternatively, you can use the property to retrieve all the bytes in the file. The property gets the underlying object for the file to upload. You can use this property to access additional properties on the file. The property gets the length of the file. The property gets the MIME content type of the file. In addition, you can use the property to access the property, the property, and the method. However, the same functionality is provided by the property, the property, and the method.

Saving Uploaded Files

The control does not automatically save a file to the server after the user selects the file to upload. You must explicitly provide a control or mechanism to allow the user to submit the specified file. For example, you can provide a button that the user clicks to upload the file. The code that you write to save the specified file should call the method, which saves the contents of a file to a specified path on the server. Typically, the method is called in an event-handling method for an event that raises a post back to the server. For example, if you provide a button to submit a file, you could include the code to save the file inside the event-handling method for the click event. Before calling the method to save the file to the server, use the property to verify that the control contains a file. If the returns true, call the method. If it returns false, display a message to the user indicating that the control does not contain a file. Do not check the property to determine whether a file to upload exists because, by default, this property contains 0 bytes. As a result, even when the control is blank, the property returns a non-null value.

Security Considerations

When you call the method, you must specify the full path of the directory in which to save the uploaded file. If you do not explicitly specify a path in your application code, an exception is thrown when a user attempts to upload a file. This behavior helps keep the files on the server secure by preventing users from being able to write to arbitrary locations in your application's directory structure, as well as preventing access to sensitive root directories. The method writes the uploaded file to the specified directory. Therefore, the ASP.NET application must have write access to the directory on the server. There are two ways that the application can get write access. You can explicitly grant write access to the account under which the application is running, in the directory in which the uploaded files will be saved. Alternatively, you can increase the level of trust that is granted to the ASP.NET application. To get write access to the executing directory for the application, the application must be granted the object with the trust level set to the value. Increasing the level of trust increases the application's access to resources on the server. Note that this is not a secure approach, because a malicious user who gains control of your application will also be able to run under this higher level of trust. It is a best practice to run an ASP.NET application in the context of a user with the minimum privileges that are required for the application to run. For more information about security in ASP.NET applications, see Basic Security Practices for Web Applications and ASP.NET Trust Levels and Policy Files.

Memory Limitations

One way to guard against denial of service attacks is to limit the size of the files that can be uploaded by using the control. You should set a size limit that is appropriate for the types of files that you expect to be uploaded. The default size limit is 4096 kilobytes (KB), or 4 megabytes (MB). You can allow larger files to be uploaded by setting the maxRequestLength attribute of the httpRuntime element. To increase the maximum allowable file size for the entire application, set the maxRequestLength attribute in the Web.config file. To increase the maximum allowable file size for a specified page, set the maxRequestLength attribute inside the location element in Web.config. For an example, see location Element (ASP.NET Settings Schema). When uploading large files, a user might also receive the following error message: aspnet_wp.exe (PID: 1520) was recycled because memory consumption exceeded 460 MB (60 percent of available RAM). If your users encounter this error message, increase the value of the memoryLimit attribute in the processModel of element the Web.config file for the application. The memoryLimit attribute specifies the maximum amount of memory that a worker process can use. If the worker process exceeds the memoryLimit amount, a new process is created to replace it, and all current requests are reassigned to the new process. To control whether the file to upload is temporarily stored in memory or on the server while the request is being processed, set the requestLengthDiskThreshold attribute of the httpRuntime element. This attribute enables you to manage the size of the input stream buffer. The default is 256 bytes. The value that you specify should not exceed the value that you specify for the maxRequestLength attribute.

Using the FileUpload Control with the UpdatePanel Control

The control is designed to be used only in postback scenarios and not in asynchronous postback scenarios during partial-page rendering. When you use a control inside an control, the file must be uploaded by using a control that is a object for the panel. controls are used to update selected regions of a page instead of updating the whole page with a postback. For more information, see UpdatePanel Control Overview and Partial-Page Rendering Overview.

Declarative Syntax

<asp:FileUpload     AccessKey="string"     BackColor="color name|#dddddd"     BorderColor="color name|#dddddd"     BorderStyle="NotSet|None|Dotted|Dashed|Solid|Double|Groove|Ridge| Inset|Outset"     BorderWidth="size"     CssClass="string"     Enabled="True|False"     EnableTheming="True|False"     EnableViewState="True|False"     Font-Bold="True|False"     Font-Italic="True|False"     Font-Names="string"     Font-Overline="True|False"     Font-Size="string|Smaller|Larger|XX-Small|X-Small|Small|Medium| Large|X-Large|XX-Large"     Font-Strikeout="True|False"     Font-Underline="True|False"     ForeColor="color name|#dddddd"     Height="size"     ID="string"     OnDataBinding="DataBinding event handler"     OnDisposed="Disposed event handler"     OnInit="Init event handler"     OnLoad="Load event handler"     OnPreRender="PreRender event handler"     OnUnload="Unload event handler"     runat="server"     SkinID="string"     Style="string"     TabIndex="integer"     ToolTip="string"     Visible="True|False"     Width="size" />

Displays a text box control and a browse button that enable users to select a file to upload to the server.

Constructor Use the constructor to initialize a new instance of the class. The control does not automatically save a file to the server after the user selects the file to upload. You must explicitly provide a control or mechanism to allow the user to submit the specified file. For example, you can provide a button that the user clicks to upload the file.

Initializes a new instance of the class.

2.0.0.0 Method System.Void The method is primarily used by control developers to insert the appropriate attributes and styles to the output stream for a control. The method overrides the method.

Adds the HTML attributes and styles of a control to render to the specified object.

An that represents the output stream to render HTML content on the client. 2.0.0.0 Property System.ComponentModel.Browsable(false) System.ComponentModel.Bindable(true, System.ComponentModel.BindingDirection.OneWay) System.ComponentModel.DesignerSerializationVisibility(System.ComponentModel.DesignerSerializationVisibility.Hidden) System.Byte[] To be added. The control does not automatically read the file from the client. You must explicitly provide a control or mechanism to allow the user to submit the specified file. For example, you can provide a button that the user can click to upload the file. The code that you write to save the specified file could call the property, which returns the contents of the file. Before calling the property, you should use the property to verify that the control contains a file to upload. If the returns true, call the property. If it returns false, display a message to the user indicating that the control does not contain a file. If you do not provide error-handling code to verify that a file exists, an attempt to save a nonexistent file throws an exception.

Gets an array of the bytes in a file that is specified by using a control.

2.0.0.0 Property System.ComponentModel.DesignerSerializationVisibility(System.ComponentModel.DesignerSerializationVisibility.Hidden) System.ComponentModel.Browsable(false) System.IO.Stream To be added. The property gets a object that points to a file to upload by using the control. Use the property to access the contents of the file. For example, you can use the object that is returned by this property to read the contents of the file as bytes and store them in a byte array.

Gets a object that points to a file to upload using the control.

2.0.0.0 Property System.ComponentModel.DesignerSerializationVisibility(System.ComponentModel.DesignerSerializationVisibility.Hidden) System.ComponentModel.Browsable(false) System.String To be added. Gets the name of a file on a client to upload using the control. The file name that the property returns does not include the path of the file on the client.

Gets the name of a file on a client to upload using the control.

2.0.0.0 Property System.ComponentModel.DesignerSerializationVisibility(System.ComponentModel.DesignerSerializationVisibility.Hidden) System.ComponentModel.Browsable(false) System.Boolean To be added. The property gets a value indicating whether the control contains a file to upload. Use this property to verify that a file to upload exists before performing operations on the file. For example, before calling the method to save the file to disk, use the property to verify that the file exists. If returns true, call the method. If it returns false, display a message to the user indicating that the control does not contain a file.

Gets a value indicating whether the control contains a file.

2.0.0.0 Method 2.0.0.0 System.Void The method notifies the control to perform any necessary pre-rendering steps before saving view state and rendering content.

Raises the event for the control.

An object that contains the event data. Property System.ComponentModel.DesignerSerializationVisibility(System.ComponentModel.DesignerSerializationVisibility.Hidden) System.ComponentModel.Browsable(false) System.Web.HttpPostedFile To be added. The property gets the underlying object for a file that is uploaded by using the control. Use this property to access additional properties on the uploaded file. You can use the property to get the length of the file. You can use the property to get the MIME content type of the file. In addition, you can use the property to access the property, the property, and the method. However, the same functionality is provided by the property, the property, and the method.

Gets the underlying object for a file that is uploaded by using the control.

2.0.0.0 Method 2.0.0.0 System.Void The method sends the control content to the specified object, which writes the content to render on the client.

Sends the control content to the specified object, which writes the content to render on the client.

The object that receives the control content. Method System.Void The method saves the contents of an uploaded file to a specified path on the Web server. The control does not automatically save a file to the server after the user selects the file to upload. You must explicitly provide a control or mechanism to allow the user to submit the specified file. For example, you can provide a button that the user clicks to upload the file. The code that you write to save the specified file should call the method, which saves the contents of a file to a specified path on the server. Typically, the method is called in an event-handling method for an event that raises a post back to the server. For example, if you provide a button to submit a file, the code to save the file to the server could then be included inside the event-handling method for the click event. When you call the method, you must specify the full path of the directory on the server in which to save the uploaded file. If you do not explicitly specify a path in your application code, an exception is thrown when a user attempts to upload a file. This behavior helps keep the files on the server secure, by not allowing users to specify a path in which to save the files that they upload. Before calling the method, you should use the property to verify that the control contains a file to upload. If the returns true, call the method. If it returns false, display a message to the user indicating that the control does not contain a file. If you do not provide error-handling code to verify that a file exists, an attempt to save a nonexistent file throws an exception. For a call to the to work, the ASP.NET application must have write access to the directory on the server. There are two ways that the application can get write access. You can explicitly grant write access to the account under which the application is running, in the directory in which the uploaded files will be saved. Alternatively, you can increase the level of trust that is granted to the ASP.NET application. To get write access to the executing directory for the application, the application must be granted the object with the trust level set to the value. Increasing the level of trust increases the application's access to resources on the server. Note that this is not a secure approach, because a malicious user who gains control of your application will also be able to run under this higher level of trust. It is a best practice to run an ASP.NET application in the context of a user who has the minimum privileges that are required for the application to run. For more information about security in ASP.NET applications, see Basic Security Practices for Web Applications and ASP.NET Trust Levels and Policy Files.

Saves the contents of an uploaded file to a specified path on the Web server.

A string that specifies the full path of the location of the server on which to save the uploaded file. 2.0.0.0