Free ASP Upload Free ASP Upload
Free ASP Upload Documentation FAQ Requirements View Source Download

How to use Free ASP Upload in your site


This page provides you with both a guide on how to use the upload ASP class and a reference of its methods and properties. The guide explains the roles that the "upload page", the "file uploaded" page, and the upload class play in sending a file. These files are contained in the ZIP available for download. In the particular case of our example, the "upload" and "file uploaded" pages are actually the same file: uploadTester.asp. The upload class is in freeASPUpload.asp.

We intend to document all aspects of this code with as much detail as possible, but in the end you will realize that the actual process of capturing and saving the uploaded files using Free ASP Upload is as simple as two short ASP lines.


Considerations about deployment

If you are adding an upload capability to your site (using this script or any other), you should consider who will have access to it, what files can be uploaded, and whether and how uploaded files are published on the site.

For example: it's a really bad idea if any visitor has access to the upload function and the files uploaded are automatically published on the site. If that is possible, then malicious visitors will quickly abuse your upload. More specifically, suppose you let anyone upload images to your web site directly, then your web site will soon be showing the wrong kind of images. Similarly, if you let users upload HTML pages to your site directly, then spammers will upload pages with links to their commercial sites.

There are three levels of prevention to avoid exploitation of your site's upload feature:

  • The most obvious and effective way of avoiding the upload of spamming content is to not publish automatically the uploaded files. If you review each uploaded file before publishing it, or if you don't publish uploaded files at all (very common) the spammers will not even be interest in your site. The FreeASPUpload script let's you select a folder on the web server where to save the uploaded files. It is recommended to pick an internal folder (a folder that is not part of the published folders).

  • If you really must allow anonymous upload of HTML pages and automatically publish them, then at least use robots.txt to block search engine spiders from that published directory.

  • Another easy way to protect your site is to restrict access to the uploaded page. For example: if you have a personal site, and you are the only one supposed to use the upload feature, create a special page just for the upload, do not link to it from any other page, and don't share the URL with others. Alternatively you can simply protect that page with a password. If your site is the kind that asks for authentication from the users (username and password), that may also help keep the casual spammers out.

  • Finally you can also to limit the kinds of files a user can upload. The types of file spammers will want to upload are .html, .htm, etc. Restricting the kinds of files are allowed to be uploaded requires some additonal ASP code, os it is not as easy as the first two strategies.


The upload page

The first step to add upload capabilities to your site is to find a page to hold the upload form. You can use one of the existing pages in your site or create a new one (see section above about avoiding abuses from unauthorized visitors). This page does not have to be an ASP page, it can be plain HTML or any other file type that can render a form in the browser.

The upload form is a FORM-element area that includes input elements of the kind "type=file". These elements - one for each file - let the user type the name of the file or browse in the system to pick it.

The most important things to remember about this form are its method and enctype. Method must be "POST" and enctype must be "multipart/form-data". It is also required that each file element be named attach1, attach2, etc.

Besides the file elements and the submit button, the upload form may have elements of other types. This means that, together with file(s) to upload, you can also post other kinds of typical form data such as text, numbers, etc.

Finally, the ACTION parameter of the FORM tag will contain the address of the page that will process the upload and tell the user the file was uploaded.


The "file-uploaded" page

This page will receive the information from the form, save the uploaded files, and process any other fields in your form. This needs to be an ASP page because it will #include the code of the FreeASPUpload class.

In some cases it is convenient to use the same file to render both the upload page and the "file-uploaded" one, like in our example. The ASP code in the file decides which page to render based on the value of Request.ServerVariables("REQUEST_METHOD").

When it comes to actually saving the uploaded files, it only takes two lines, one for the creation of the Free ASP Upload object and the other to extract the files from the POST request and save them to the server:

    Set Upload = New FreeASPUpload
    Upload.Save(upload directory path)

To process other fields in the form, use the Form collection of the upload object the same way you would use the Form collection of the Request object. For example, if your form had a text element named UserName, your processing code would include:

    strUserName = Upload.Form("UserName")

If you want to control what file types the user can upload, you can do it with Javascript in a form validation function in the upload page or you can do it in the "file uploaded" page by checking the FileName property of each uploaded file. This server side solution requires the checking to be done after the files are actually uploaded (i.e.: after the Upload.Save statement.) When a file of the incorrect type is detected, you can remove the file from the server with a call to a FileSystemObject method.


FreeASPUpload quick Reference

FreeASPUpload (the main ASP class for the uploader)

Public properties:

    UploadedFiles - A Dictionary of UploadedFile objects. You can check the length of keys to verify if the user actually uploaded any files; see example in the SaveFiles function of the uploadTester.asp code sample. The values of the keys are the names of the type="file" input elements in the uploading form. For example, for the uploadTester.asp script, the input element names are "attach1", attach2", attach3", and "attach4". Through the key values, the server-side script can figure out the origin of each uploaded file, if that is important.

    Files - Equivalent to: UploadedFiles.Items . The SaveFiles function in uploadTester.asp provides an example of how to loop over the Files array to get access to all file descriptions.

    Form - A collection with the values of the form elements posted by the upload form. This collection is empty until the Save method is called.

Public methods:

    Save(upload directory path) - Saves all the uploaded files to the specified directory using same names the files had in the origin.

UploadedFile (obtained from FreeASPUpload through the UploadedFiles property)

Public properties:

    ContentType, FileName, Length.

No methods.


 Advertisement: ASP.NET Web Hosting by eWebcircle-Australia