62,046
社区成员
发帖
与我相关
我的任务
分享请教了解asp.net的文件上传机制的高手两个问题?
Request.Files[0].InputStream;
这样是获取一个上传文件的数据,那请问,这里得到的是不是已经上传到服务器暂时放到内存之后的东西了?
还有,如果我想使用3层结构实现,把具体的文件操作放到逻辑层中去做,该怎么做?是不是需要把这个InputStream作为一个Stream对象提交给处理函数,然后在处理函数中操作,但这样的话,是不是已经将文件上传到服务器的内存中,然后再作为参数对象传递过去的?如果是,那不是无论多大都上传到服务器了?而且这个操作将在我的处理函数之前操作?那就无法判断用户是否可以执行此操作,那不是很容易进行DDOS攻击了?麻烦高手帮帮忙,看看该怎么实现?
分不够可以再开帖子另加~~~
或者加我QQ直接联系889508或者msn cnlamar@hotmail.com
谢谢
这样是获取一个上传文件的数据,那请问,这里得到的是不是已经上传到服务器暂时放到内存之后的东西了?
还有,如果我想使用3层结构实现,把具体的文件操作放到逻辑层中去做,该怎么做?是不是需要把这个InputStream作为一个Stream对象提交给处理函数,然后在处理函数中操作,但这样的话,是不是已经将文件上传到服务器的内存中,然后再作为参数对象传递过去的?如果是,那不是无论多大都上传到服务器了?而且这个操作将在我的处理函数之前操作?那就无法判断用户是否可以执行此操作,那不是很容易进行DDOS攻击了?麻烦高手帮帮忙,看看该怎么实现?
分不够可以再开帖子另加~~~
或者加我QQ直接联系889508或者msn cnlamar@hotmail.com
谢谢
...全文
请发表友善的回复…
发表回复
cnlamar 2004-02-02
- 打赏
- 举报
up
nonecolor 2004-02-02
- 打赏
- 举报
up
nonecolor 2004-02-02
- 打赏
- 举报
按照wisest(无影无忠)得方法up了一下,但是为什么总是脚本错误,提示不能创建对象
速马 2004-02-02
- 打赏
- 举报
确实是先统统传到服务器,程序才知道大小
只有在客户端判断大小(但是需要降低IE安全性设置)
只有在客户端判断大小(但是需要降低IE安全性设置)
nehc 2004-02-02
- 打赏
- 举报
可以证实,通过webconfig文件控制。这是我的配置。先行的,我成功的上传了一个6M多的文件。
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.web>
<httpRuntime maxRequestLength="40000"/>
</system.web>
</configuration>
在此之前,没有“ <httpRuntime maxRequestLength="40000"/> ”的配置文件,上传6M的这个文件要出问题。
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.web>
<httpRuntime maxRequestLength="40000"/>
</system.web>
</configuration>
在此之前,没有“ <httpRuntime maxRequestLength="40000"/> ”的配置文件,上传6M的这个文件要出问题。
Jouzen 2004-02-02
- 打赏
- 举报
gz
我现在就是在客户端判断了一下 不过还要降低安全性 好象用到了ActiveX
我现在就是在客户端判断了一下 不过还要降低安全性 好象用到了ActiveX
真相重于对错 2004-02-02
- 打赏
- 举报
web.config 文件里可以对文件大小进行控制
nehc 2004-02-02
- 打赏
- 举报
MSDN Home > MSDN Library > .NET Development > .NET Framework SDK > .NET Framework > Reference > Configuration File Schema > ASP.NET Settings Schema
.NET Framework General Reference
<httpRuntime> Element
Configures ASP.NET HTTP runtime settings. This section can be declared at the machine, site, application, and subdirectory levels.
<configuration>
<system.web>
<httpRuntime>
<httpRuntime useFullyQualifiedRedirectUrl="true|false"
maxRequestLength="size in kbytes"
executionTimeout="seconds"
minFreeThreads="number of threads"
minFreeLocalRequestFreeThreads="number of threads"
appRequestQueueLimit="number of requests"
versionHeader="version string"/>
Optional Attributes
Attribute Option Description
appRequestQueueLimit The maximum number of requests that ASP.NET will queue for the application. When there are not enough free threads to process a request, the requests are queued. Incoming requests will be rejected with a "503 - Server Too Busy" error when the queue exceeds the limit specified in this setting.
executionTimeout Indicates the maximum number of seconds that a request is allowed to execute before being automatically shut down by ASP.NET.
enable Specifies whether the App Domain is enabled. at the current node and at the child node level. The default value is true.
true Specifies that the App Domain be enabled.
false Specifies that the App Domain be disabled. The application is not loaded in memory and any client request will cause a 404 error to be issued.
idleTimeOut Specifies the App Domain idle time before it is shut down. The default value is 20 minutes.
enableKernelModeCache Specifies whether output caching is enabled. At this time, this attribute is only relevant when IIS version 6.0 or later is installed. The output caching configuration and type of request determines whether content can be cached.
In order to cache a response, the following criteria need to be met:
Caching must be explicitly enabled by a page directive or by the use of the caching API.
Caching must have an expiration policy so that the kernel knows when to discard it.
Caching cannot have any variable headers or parameters.
The request must not require any authentication.
true Specifies that caching be enabled.
false Specifies that caching be disabled.
maxRequestLength Indicates the maximum file upload size supported by ASP.NET. This limit can be used to prevent denial of service attacks caused by users posting large files to the server. The size specified is in kilobytes. The default is 4096 KB (4 MB).
minFreeLocalRequestFreeThreads The minimum number of free threads that ASP.NET keeps available to allow execution of new local requests. This number of threads is kept reserved for requests coming from the local host, in case some requests issue child requests to the local host during their processing. This avoids a possible deadlock with recursive reentry into the Web server.
minFreeThreads The minimum number of free threads to allow execution of new requests. ASP.NET keeps this many threads free for requests that require additional threads to complete their processing.
useFullyQualifiedRedirectUrl Indicates whether client-side redirects are fully qualified (in {HYPERLINK "http://server/path" } form, which is necessary for some mobile controls) or whether relative redirects are instead sent to the client.
true Specifies that client-side redirects need to be sent fully qualified. This is achieved by automatically converting all redirects that are not fully qualified to fully qualified form.
false Specifies that client-side redirects do not need to be automatically converted to the fully qualified form. false is the default.
versionHeader Specifies the value of a version header that ASP.NET sends with every response. This attribute is used by Microsoft Visual Studio .NET to determine which version of ASP.NET is in use. It is not necessary for production sites and can be disabled either by removing the attribute from Web.config or Machine.config, or setting the attribute to an empty string (versionHeader="").
Example
The following example specifies HTTP runtime parameters for an ASP.NET application.
<configuration>
<system.web>
<httpRuntime maxRequestLength="4000"
useFullyQualifiedRedirectUrl="true"
executionTimeout="45"
versionHeader="1.1.4128"/>
</system.web>
</configuration>
Requirements
Contained Within: <system.web>
Web Platform: IIS 5.0, IIS 5.1, IIS 6.0
Configuration File: Machine.config, Web.config
Configuration Section Handler: System.Web.Configuration.HttpRuntimeConfigurationHandler
See Also
ASP.NET Configuration | ASP.NET Settings Schema | Caching ASP.NET Pages
Contact Us | E-Mail this Page | MSDN Flash Newsletter
© 2004 Microsoft Corporation. All rights reserved. Terms of Use Privacy Statement Accessibility
cnlamar 2004-02-02
- 打赏
- 举报
web.config是对用户数据的总长度做限制,并不是针对文件上传,更不能因为用户的不同而分别做出不同的限制,反正是不可行了
wuyi8808 2004-02-01
- 打赏
- 举报
gz
cnlamar 2004-02-01
- 打赏
- 举报
ASP.NET的机制好象是,无论做什么操作,都是先把数据获取放服务器内存了,再做那些操作,这样的话,文件上传可能是个很大的安全隐患呀?如何解决呢?各位DX请指教
cnlamar 2004-02-01
- 打赏
- 举报
判断大小我当然会的,那即便那样做,数据也已经存在于服务器内存中了,带宽和内存的占用已经成为事实了,这样如果有人有恶意的话。。。要堵死你的服务器并不难。。。
如果但但在客户端做JS判断的话,也是不现实的,真正想攻击你的人不会用IE攻击你,而是直接POST数据过来,不是吗?
试了半天,发现只要数据提交了,不管你是否接收了,是否转到别的地方了,只要提交了,就已经把这个文件放服务器的内存里了,我晕。。。
这可是安全的大问题,大家不得关注关注吗?
如果但但在客户端做JS判断的话,也是不现实的,真正想攻击你的人不会用IE攻击你,而是直接POST数据过来,不是吗?
试了半天,发现只要数据提交了,不管你是否接收了,是否转到别的地方了,只要提交了,就已经把这个文件放服务器的内存里了,我晕。。。
这可是安全的大问题,大家不得关注关注吗?
leaya11 2004-02-01
- 打赏
- 举报
我也发现这个问题了,NET好像做的太死了。我使jsp的方法,还没调通
xueqs 2004-02-01
- 打赏
- 举报
up
mywisest 2004-02-01
- 打赏
- 举报
客户端判断的方法:
var sFile = document.all("AttachFile").value;
if (sFile =="")
{
alert("文件名为空!");
return false;
}
var fso = new ActiveXObject("Scripting.FileSystemObject");
var f = fso.GetFile(sFile);
var sSize = document.all("tbmaxRequestLength").value;
var iSize = 0;
iSize = parseInt(sSize) * 1024;
if (isNaN(iSize))
{
alert("允许上传的文件大小错误!");
return false;
}
//alert(iSize);
//alert("文件:"+ sFile +"\n大小:"+f.Size);
if (f.size > iSize)
{
alert("要上传的文件太大,服务器不允许上传!");
return false;
}
var sFile = document.all("AttachFile").value;
if (sFile =="")
{
alert("文件名为空!");
return false;
}
var fso = new ActiveXObject("Scripting.FileSystemObject");
var f = fso.GetFile(sFile);
var sSize = document.all("tbmaxRequestLength").value;
var iSize = 0;
iSize = parseInt(sSize) * 1024;
if (isNaN(iSize))
{
alert("允许上传的文件大小错误!");
return false;
}
//alert(iSize);
//alert("文件:"+ sFile +"\n大小:"+f.Size);
if (f.size > iSize)
{
alert("要上传的文件太大,服务器不允许上传!");
return false;
}
huangsuipeng 2004-02-01
- 打赏
- 举报
ding
nehc 2004-02-01
- 打赏
- 举报
Request.Files[0]有个length属性吧。判断下。
cnlamar 2004-02-01
- 打赏
- 举报
测试结果,是在服务器内存里了……我晕~~~
谁有解决的办法没?
比如我现在某个用户的上传大小是100K,超过100K就自动放弃所有的数据接受,而不是全部放服务器内存里,然后再判断。。。
谁有解决的办法没?
比如我现在某个用户的上传大小是100K,超过100K就自动放弃所有的数据接受,而不是全部放服务器内存里,然后再判断。。。
popu2 2004-02-01
- 打赏
- 举报
gz,是在服务器的内存里了?
cnlamar 2004-02-01
- 打赏
- 举报
举个例子
ExsClass.UpLoad(Request.Files["File"].InputStream);
ExsClass.UpLoad是我的一个方法,只有一个参数,类型自然为System.IO.Stream
请问,这样做了之后,在ExsClass.UpLoad里执行一切的时候Request.Files["File"].InputStream的数据是否已经全部传递到服务器的内存里了?
ExsClass.UpLoad(Request.Files["File"].InputStream);
ExsClass.UpLoad是我的一个方法,只有一个参数,类型自然为System.IO.Stream
请问,这样做了之后,在ExsClass.UpLoad里执行一切的时候Request.Files["File"].InputStream的数据是否已经全部传递到服务器的内存里了?
加载更多回复(1)
