Client-Side Validation of File Types Permissible to Upload

There are several methods you can use to control the types of files that are uploaded to the server. Unfortunately, there is no bullet-proof method to protect you from someone uploading files that would be considered malicious. You can take a few steps, however, to make this process of allowing end users to upload files a little more manageable.

One nice method you can employ is to use the ASP.NET validation controls that are provided for free with ASP.NET. These controls enable you to do a regular-expression check upon the file that is being uploaded to see if the extension of the file is one you permit to be uploaded.

For Example :




ErrorMessage=”Only zip file is allowed!”

ValidationExpression =”^.+(.zip|.ZIP)$”


> </asp:RegularExpressionValidator>

This simple ASP.NET page uses validation controls so that the end user can only upload .zip file to the server. If the file type is not one these three choices, a Validation control throws an exception onto the screen.

Using Validation controls is not a foolproof way of controlling the files that are uploaded to the server. It wouldn’t be too hard for someone to change the file extension of a file so it would be accepted and uploaded to the server, thereby bypassing this simple security model.

Posted in Microsoft Technology Tagged with:
5 comments on “Client-Side Validation of File Types Permissible to Upload
  1. Mahmoud says:

    well, you write .zip & .ZIP , this means that i must put all combinations of character statues ,ex : .zip , .Zip ,.ZIp ,……… ,so is there anyway to handle that ,specially i want my fileupload to upload only images, any type of image,and if I use this I’ll write many many things, can you help ??

  2. Raj says:

    Thanks for this article.

  3. Anonymous says:

    Thanks for this article.. really short and simple

  4. Anonymous says:

    thanks for short and cryisp article..

  5. Ghulam says:

    Thanks a lot of thanks. Excellent trick. Great….!