I have file upload feature on my site for the site members.
How can I protect from posibilitie that my members upload .ASP files and run them ?
It is safety to only verify .asp sufix for files on upload ?

Another question : I have an .inc file with login and password for connect to my MSSQL database. Is any posibilities to someone can view my .inc page or other .asp pages ? How can avoid this ?

Thanks a lot and escuse my english :(

for the directory the users upload into take away the script writing and reading abilities. Do you have direct access to the server? If put the login stuff inside of an .asp file the server will not give up the source code, only html output for it, but you can protect the .inc file type. I am not sure if that is protected already or not.

To disallow certain file types, you have to write a small script which will see what extension the file to be uploaded has. Match the file type against an array or banned extensions and then take the appropriate action.
Here is an example:

dim arrBanned(3)
dim strFile, strExt
dim i

arrBanned(0) = "asp"
arrBanned(1) = "php"
arrBanned(2) = "exe"

strFile = CStr(Split(request.queryString("file"), "."))

if isArray(strFile) then
strExt = UBound(strFile)
else
strExt = strFile(0)
end if

for i = 0 to UBound(arrBanned)
if LCase(Replace(strExt, ".", "")) = arrBanned(i) then
banned = true
exit for
end if
next

if banned then
with response
.Write ("<div align=""center"">" & vbCrLf)
.Write ("Error: You cannot upload a file of that type.<br />")
.Write ("The following file types are banned<br />")

for i = 0 to UBound(arrBanned)
.Write ("." & arrBanned(i) & "<br />")
next

.Write (vbCrLf & "</div>" & vbCrLf)
.end
end with
end if


I havent tested this code and you will obviously have to alter it so it complies to your naming conventions, etc. Its just an example of how i would tackle it.

Regards,
Andrew Buntine.

Thank you, i'll try this code.
I thought to a JavaScript code that verify the file sufixes, but it seems to be a pretty unsecure to run the code on the client browser....
So, the server run only .asp ( or .php , or .exe ) files ? And this protection method ( described in the previous reply ) is enough ?

I didn't quite understand how can I protect my files on the web server from programs like Get Right or others like this, who can download or view all files ? I'll intend to host my site on one shared web hosting server who doesn't allow me too much. Anybody can view my .inc file with the login and password informations for the database ??

I'll apreciate your answers.

Are you hosting it yourself? You can do what buntine said with the formats, bu you are still going to need some directory security because the person could be uploading many files
.dll
.php
.asp
.aspx
.cgi
.bat
.exe
some could be executablel ike the bat, dll and exe (but I do not know how they would enitiate one of these without remote access), but the others it will depend on what the server supports. Also people could just rename the format of a .exe to .jpg or something. You really need a software firewall and other security measures on the server.

edit: are you looking to make sure users can't upload some fiels because you are on a free host that will not allow them? If so just let them upload them, the hosts security will kill them... it really depends on the host. If its in a data base you might be able to hide some files these but then it could violate the TOS of that host.

I will host my site on www.sectorlink.com. My site will be for a chess comunity and members will can upload files in their subdirectory through asp upload ( from Persits ) - so, they will have sites like : www.chessarea.com/"subdirectory_name". "subdirectory_name" will be create on the request of mebers.

I want protect from the .asp files, I want that my members can have only HTML sites ( .HTML, .CSS, .GIF, .JPG ), that because I don't know how can I code that their .asp files have permisions only on their subdirector.

I belive that the web server ( IIS ) run only files with .asp sufix, so if a file contains scripts but it doesn't have .asp sufix, the server will not run the script.

If your using Persits ASPUpload, you can toggle some settings which will disallow certain file types..

Take a look at the examples on their website: www.aspupload.com

Regards.

Oh, I thought this was more of a large scale security question, how to keep executable and server side files out and that users could still edit and alter files after they have been uploaded like on a major host. I do not know about the asp classic components so just do what buntine says :) .

Thank you very much for answers.