1. 首页
  2. 问答
  3. 仅上载允许的文件类型

仅上载允许的文件类型

2013-08-19 88 views
1

我正在使用FreeASPUpload组件的用户可以上传的表单上工作。仅上载允许的文件类型

现在我可以上传任何东西,并会导致服务器上的重大安全问题。我怎样才能限制只有特定的文件类型。我只希望用户上传“.doc”,“.docx”和“.pdf”文件。

这里是源代码。

<%@ Language=VBScript %> 
<% 
option explicit 
Response.Expires = -1 
Server.ScriptTimeout = 600 
Session.CodePage = 65001 
%> 

<!-- #include file="UploadClass.asp" --> 
<!-- #include file="ADOVBS.inc" --> 

<% 
Dim uploadsDirVar 
uploadsDirVar = server.MapPath("Resumes_Uploaded") 

function OutputForm() 
%> 
<form name="frmSend" id="appform" method="POST" enctype="multipart/form-data" accept-charset="utf-8" action="form.asp" onSubmit="return onSubmitForm();"> 
<input type="hidden" name="ApplicationForm" value="Insert" /> 
Name: <input type="text" name="name_insert" value="" size="30" /> 
<B>File names:</B><br> 
File 1: <input name="attach1" type="file" size=35><br> 
<br> 
<input style="margin-top:4" type="submit" value="Submit"> 
</form> 


<% 
end function 

function TestEnvironment() 
    Dim fso, fileName, testFile, streamTest 
    TestEnvironment = "" 
    Set fso = Server.CreateObject("Scripting.FileSystemObject") 
    if not fso.FolderExists(uploadsDirVar) then 
     TestEnvironment = "<B>Folder " & uploadsDirVar & " does not exist.</B><br>The value of your uploadsDirVar is incorrect. Open uploadTester.asp in an editor and change the value of uploadsDirVar to the pathname of a directory with write permissions." 
     exit function 
    end if 
    fileName = uploadsDirVar & "\test.txt" 
    on error resume next 
    Set testFile = fso.CreateTextFile(fileName, true) 
    If Err.Number<>0 then 
     TestEnvironment = "<B>Folder " & uploadsDirVar & " does not have write permissions.</B><br>The value of your uploadsDirVar is incorrect. Open uploadTester.asp in an editor and change the value of uploadsDirVar to the pathname of a directory with write permissions." 
     exit function 
    end if 
    Err.Clear 
    testFile.Close 
    fso.DeleteFile(fileName) 
    If Err.Number<>0 then 
     TestEnvironment = "<B>Folder " & uploadsDirVar & " does not have delete permissions</B>, although it does have write permissions.<br>Change the permissions for IUSR_<I>computername</I> on this folder." 
     exit function 
    end if 
    Err.Clear 
    Set streamTest = Server.CreateObject("ADODB.Stream") 
    If Err.Number<>0 then 
     TestEnvironment = "<B>The ADODB object <I>Stream</I> is not available in your server.</B><br>Check the Requirements page for information about upgrading your ADODB libraries." 
     exit function 
    end if 
    Set streamTest = Nothing 
end function 

function SaveFiles 
    Dim Upload, fileName, fileSize, ks, i, fileKey, strFileName, strFileType, oFSO, DelFile, fso 

    Set Upload = New FreeASPUpload 
    Upload.Save(uploadsDirVar) 

    ' If something fails inside the script, but the exception is handled 
    If Err.Number<>0 then Exit function 

    SaveFiles = "" 
    ks = Upload.UploadedFiles.keys 
    if (UBound(ks) <> -1) then 
     SaveFiles = "<B>Files uploaded:</B> " 
     for each fileKey in Upload.UploadedFiles.keys 
    SaveFiles = SaveFiles & Upload.UploadedFiles(fileKey).FileName & " (" & Upload.UploadedFiles(fileKey).Length & "B) " 

     next 
    else 
     SaveFiles = "No file selected for upload or the file name specified in the upload form does not correspond to a valid file in the system." 
    end if 
%> 

<% 
'======================================================================================= 
' CONNECT DATABASE 
'======================================================================================= 
Dim objConn, objRs, InsCom, InsName 
Set objConn = CreateObject("ADODB.Connection") 
Set objRs = CreateObject("ADODB.Recordset") 
objConn.open"Provider=Microsoft.Jet.OLEDB.4.0;Data Source="& server.MapPath("db/Job_database.mdb") &";Mode=ReadWrite|Share Deny None;Persist Security Info=False" 

If Upload.Form("ApplicationForm") = "Insert" Then 
Set InsCom=Server.CreateObject("ADODB.Command") 
InsCom.ActiveConnection=objConn 

InsName = Trim(Upload.Form("name_insert")) 
InsName = replace(InsName,"'","''") 

InsCom.CommandText = "Insert into applications(aname)Values(?)" 
InsCom.Parameters.Append InsCom.CreateParameter("@name_insert", adVarChar, adParamInput, 255, InsName) 

InsCom.Execute 

End If 

Response.Redirect("success.asp")  
end function 
%> 

<HTML> 
<HEAD> 
<TITLE>Test Free ASP Upload 2.0</TITLE> 
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> 
<style> 
BODY {background-color: white;font-family:arial; font-size:12} 
</style> 
<script> 
function onSubmitForm() { 
    var formDOMObj = document.frmSend; 
    if (formDOMObj.attach1.value == "") 
     alert("Please press the Browse button and pick a file.") 
    else 
     return true; 
    return false; 
} 
</script> 
</HEAD> 

<BODY> 

<br><br> 
<div style="border-bottom: #A91905 2px solid;font-size:16">Upload files to your server</div> 
<% 
Dim diagnostics 
if Request.ServerVariables("REQUEST_METHOD") <> "POST" then 
    diagnostics = TestEnvironment() 
    if diagnostics<>"" then 
     response.write "<div style=""margin-left:20; margin-top:30; margin-right:30; margin-bottom:30;"">" 
     response.write diagnostics 
     response.write "<p>After you correct this problem, reload the page." 
     response.write "</div>" 
    else 
     response.write "<div style=""margin-left:150"">" 
     OutputForm() 
     response.write "</div>" 
    end if 
else 
    response.write "<div style=""margin-left:150"">" 
    OutputForm() 
    response.write SaveFiles() 
    response.write "<br><br></div>" 
end if 

%> 

</BODY> 
</HTML>

我寻觅了很多,发现只有几个解决方案,但他们并没有在我结束工作。 这是我最近做出的更改,但文件上传后不会从服务器中删除。

下面是代码

function SaveFiles 
    Dim Upload, fileName, fileSize, ks, i, fileKey, strFileType, oFSO 

    Set Upload = New FreeASPUpload 
    Upload.Save(uploadsDirVar) 

    ' If something fails inside the script, but the exception is handled 
    If Err.Number<>0 then Exit function 

    SaveFiles = "" 
    ks = Upload.UploadedFiles.keys 
    if (UBound(ks) <> -1) then 
     SaveFiles = "<B>Files uploaded:</B> " 
     for each fileKey in Upload.UploadedFiles.keys 
      strFileType = Left(Upload.UploadedFiles(fileKey).ContentType,5) 
      if strFileType = ".doc" and ".docx" and ".pdf" Then 
       SaveFiles = SaveFiles & Upload.UploadedFiles(fileKey).FileName & " (" & Upload.UploadedFiles(fileKey).Length & "B) " 
      else 
       DelFile = DelFiles & Upload.UploadedFiles(fileKey).FileName & "," 
      end if   
     next 

     %> 
<% 

    else 
     SaveFiles = "The file name specified in the upload form does not correspond to a valid file in the system." 
    end if 
    if DelFile <> "" Then 
     DelFile = left(DelFile,len(DelFile)-1) 
     set oFSO = CreateObject("Scripting.FileSystemObject") 
     if inStr(DelFile,",") > 0 then 
       arrDelete = split(DelFile,",") 
       for i = 0 to UBound(arrDelete) 
        oFSO.DeleteFile uploadsDirVar & arrDelete(i) 
       next 
     else 
      oFSO.DeleteFile uploadsDirVar & DelFile 
     end if 
     oFSO.close 
     set oFSO = nothing 
    end if

FreeASPUpload documentation没有帮助。

来源

2013-08-19 yaqoob

+0

为什么文件不被删除?你应该说明你的代码是否有错误,等等。 –

+0

文件上传的方式,我没有收到任何错误... – yaqoob

+0

你必须有一个错误的地方。禁用代码中的所有错误恢复下一行代码,以找出代码破坏的位置... –

回答

2

我测试此代码,它工作正常...

function SaveFiles 
    ' You forgot to declare the DelFile Variable 
    Dim Upload, fileName, fileSize, ks, i, fileKey, strFileType, oFSO, DelFile 

    Set Upload = New FreeASPUpload 
    Upload.Save(uploadsDirVar) 

    ' If something fails inside the script, but the exception is handled 
    If Err.Number<>0 then Exit function 

    ' Set DelFile Variable to empty string 
    DelFile = "" 
    SaveFiles = "" 
    ks = Upload.UploadedFiles.keys 
    if (UBound(ks) <> -1) then 
     SaveFiles = "<B>Files uploaded:</B> " 
     for each fileKey in Upload.UploadedFiles.keys 
      ' This does not return the file extension of the file uploaded 
      ' strFileType = Left(Upload.UploadedFiles(fileKey).ContentType,5) 
      strFileType = Mid(Upload.UploadedFiles(fileKey).FileName, InstrRev(Upload.UploadedFiles(fileKey).FileName, ".") + 1) 
      ' This is an invalid if statement 
      ' if strFileType = ".doc" and ".docx" and ".pdf" Then 
      if strFileType = "doc" or strFileType = "docx" or strFileType = "pdf" Then 
       SaveFiles = SaveFiles & Upload.UploadedFiles(fileKey).FileName & " (" & Upload.UploadedFiles(fileKey).Length & "B) " 
      else 
       ' The var DelFiles does not exist 
       'DelFile = DelFiles & Upload.UploadedFiles(fileKey).FileName & "," 
       DelFile = DelFile & Upload.UploadedFiles(fileKey).FileName & "," 
      end if 
     next 
    else 
     SaveFiles = "The file name specified in the upload form does not correspond to a valid file in the system." 
end if 
if DelFile <> "" Then 
    DelFile = left(DelFile,len(DelFile)-1) 
    set oFSO = CreateObject("Scripting.FileSystemObject") 
    if inStr(DelFile,",") > 0 then 
      arrDelete = split(DelFile,",") 
      for i = 0 to UBound(arrDelete) 
       ' this is wrong, you're missing a backspace 
       ' oFSO.DeleteFile uploadsDirVar & arrDelete(i) 
       oFSO.DeleteFile uploadsDirVar & "\" & arrDelete(i) 
      next 
    else 
     ' this is wrong, you're missing a backspace 
     ' oFSO.DeleteFile uploadsDirVar & DelFile 
     oFSO.DeleteFile(uploadsDirVar & "\" & DelFile) 
    end if 
     ' This is an invalid statement 
     ' oFSO.close 
     set oFSO = nothing 
    end if 
end function

注:您的代码是完全错误的......我尽我所能来解释他们在哪里,什么他们是,但这不能替代学习如何正确调试asp代码。在试图将我的代码集成到您的解决方案之前,您应该尝试掌握如何调试asp。

来源

2013-08-19 12:39:49

+0

@ basto.serdio我非常感谢您的帮助,我真的是一名ASP初学者,我很努力地学习它。我只是在我卡住的时候寻求帮助,当我找不到别的东西时。 我试过你的代码,它给出了500-内部服务器错误。 ** Microsoft VBScript编译(0x800A03F6)预期'结束' /test/form。asp,line 136 ** – yaqoob

+0

@Shadow Wizard现在它工作完美:)感谢您的帮助:) – yaqoob

+1

@yaqoob不是我,我只是编辑,使代码漂亮。 –

相关问题

 相关问题