Limiting Upload Sizes with ASP.NET
It seemed like a simple request from a customer with an ASP.NET Web site: come up with a way to let their users upload images to a SQL Server database. Oh, and limit the files to a certain size, to keep traffic and database sizes reasonable. Oh, and show a friendly error message if the file was too large.
Well, in the end, it did turn out to be simple - but it also meant I had to touch on a batch of different parts of ASP.NET. So let me walk through what I came up with, and perhaps you can find something that will help in your own future plans.
Uploading and Storing the File
The first task was fairly easy. The customer's requirements called for storing the uploaded file, together with its content type and size, into a SQL Server table. To handle this part, I wrote a stored procedure:
CREATE PROC procInsertFile @File image, @ContentType varchar(50), @ByteSize int AS INSERT INTO UploadedFiles([File], ContentType, ByteSize) VALUES(@File, @ContentType, @ByteSize)
Uploading the file is easy too. You may not have ever used it, but the HTML standard includes the <INPUT type="file"> tag. This tag is rendered as a textbox and a browse button; you can use the browse button to select a file, whose name appears in the textbox. When you submit the form, the contents of the specified file are sent along as part of the HTTP request. Even though it's not in the Visual Studio toolbox, you can still use this tag in your ASP.NET Web Forms by hand-editing the HTML. Here's the HTML for a page that contains just this tag and a submit button, as shown in Figure 1.
<%@ Page Language="vb" AutoEventWireup="false" Codebehind="UploadForm.aspx.vb" Inherits="UploadProject.UploadForm"%> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML> <HEAD> <title>UploadForm</title> </HEAD> <body> <form id="Form1" method="post" runat="server"> <P> <input id="UploadFile" runat="server" type="file"> <asp:Button id="btnUpload" runat="server" Text="Upload"></asp:Button></P> </form> </body> </HTML>
I also added a SqlConnection and a SqlCommand to my Web Form. The SqlConnectin points to the appropriate database and the SqlCommand wraps the procInsertFile stored procedure. I named the SqlCommand cmdInsertFile. Even though the file upload control isn't in the Toolbox, ASP.NET still includes methods for working with it. Here's the code that gets triggered when the user clicks the Submit button:
Imports System.IO Private Sub Page_Load(ByVal sender As System.Object, _ ByVal e As System.EventArgs) Handles MyBase.Load If IsPostBack Then ' Get the uploaded data Dim upfile As HttpPostedFile = _ UploadFile.PostedFile ' Make sure there's actually content uploaded If upfile.ContentLength <> Nothing Then ' Load the data into a byte array Dim StreamObject As Stream Dim FileLength As Integer = _ upfile.ContentLength Dim FileByteArray(FileLength) As Byte StreamObject = upfile.InputStream StreamObject.Read(FileByteArray, 0, _ FileLength) ' Store the fileLength stream in ' the SQL Server database cmdInsertFile.Parameters("@File").Value = _ FileByteArray cmdInsertFile.Parameters("@ContentType").Value = _ upfile.ContentType cmdInsertFile.Parameters("@ByteSize").Value = _ FileLength SqlConnection1.Open() cmdInsertFile.ExecuteNonQuery() SqlConnection1.Close() End If End If End Sub
The key to this code is the HttpPostedFile class, which gives you direct access to the contents of the uploaded file. It also has handy properties for things like the file size and its content type. All that the code does is grab this data and stuff it into a byte array, which can then be used as a parameter to the stored procedure. With this much code written, the first requirement is satisfied: the file gets to the SQL Server database.