Thread: upload file field (restrict filename size?)

Hi All,

ok...I have a form that has to fields where a file can be uploaded when the form is submitted. When the form is submitted the file has a date/time stamp on it and just the filename.ext is added to the database (fields - file1 & file2).

The issue is I had to bump up these length on these fields to (40) because the longer my file name I started to get the error below. I think (40) is plenty but there is always still the possibility someone may still try to upload a filename that is too long and the error below will appear and the file gets uploaded to the server but the record/form data is not added to the database. I'm not sure how to go about placing a restriction on the length of the filename, is that possible? Thanks for any suggestions.

Code:

Microsoft OLE DB Provider for SQL Server error '80040e57' 

String or binary data would be truncated.

Oh Ok, Thanks JMH...I tried something like this but it didn't seem to do anything. Is this what you mean?

Code:

if (formDOMObj.attach1.value.length <='20'){
	alert("Shorten your filename, make it 20 characters or less!");
	formDOMObj.attach1.focus();
	return false;
	}

Hiya...

ok...so you mean to set the type size in sql at 255? Right now i just bumped it up but not that much.....If that's not the way I want to go and want to restrict it to less characters....should this be done in javascript or asp?

Thanks for your help!

Here's the best approach both for functionality & security.

Rename the uploaded file to a GUID, store the original file name and the new file name in the database.

Example:

Create two fields in your database called "originalFileName" & "newFileName".
The "originalFileName" field will have the actual name of the file that was uploaded. The "newFileName" field will store the new GUID name of the file after you've renamed it.

if you are using an MSSQL database use the data types below.
originalFileName varchar(255)
newFileName uniqueidentifier

The above is for functionality.

For security purpose, you NEVER keep the original name of the file. Doing so could allow for injection attacks, such as if someone uploaded a filed called "<script>alert('XSS');</script>.jpg".

Also make sure you validate the content of the file so someone can't just rename a .asp file to .jpg (assuming you are allowing only .jpg files) and execute code on your server.

For additional details on file upload issues to consider, read the article below.

Handling File Uploads

Hi Memnoch,

I read the info and trying to absorb it....

With mehere's help in another post I am currently rename the file uploaded...ex: if they try to use mydoc.doc then it gets renamed with date/time stamp as mydoc_161053.doc and goes on server file (test\testsite\files\) and gets stored in the database field that way too

I have field as nvarchar(40) ... is it ok as nvarchar and just change to (255)?

Also, if I change to (255) what happens if the users file name is 255 characters long...+ the datetime stamp on it...won't it give an error like in post #1?

Thanks for your help!