Understanding File Upload

By Tiago Halm

As you probably know, Microsoft has one free DLL, namely CPSHOST.DLL, with which you can upload files. It requires a folder with write permissions since it is there where the file(s) will be posted (saved) when they arrive to the Web server (IIS). Another drawback is that you are focusing only on file uploading and not on other uploading possibilities. Remember, when you upload a file, you can also upload (post) any other inputs, such as the input file, input checkbox, input password, and input image, etc. And you can check their value just as if you were posting an ordinary form.

So when you upload a file you are really posting a form's content to the browser by using a different encoding type (enctype) in your form. That encoding is specified as enctype="multipart/form-data" as an attribute of your form.

The specification in RFC 1867 "Form-based File Upload in HTML" describes the mechanism by which a file may be uploaded from a Web browser to the server.

The Strange and Fun Stuff

Imagine you have a form just like the one in the zip file below for the upload.asp file):

<form method="post" enctype="multipart/form-data"
<table cellpadding="5" cellspacing="0" border="0">

        <td>Input Checkbox:</td>
        <td><input type="checkbox" checked
        <td>Input Password:</td>

        <td><input type="password" name="input_password"
        <td>Input Text:</td>
        <td><input type="text" name="input_text"

        <td>Input Image:</td>
        <td><input type="image" src="pic.gif" width="200"
height="100" border="0"></td>

        <td>Input Hidden</td>
        <td>I promise it's there :)<input type="hidden"
name="input_hidden" value="myhiddenvalue"></td>
        <td>Input File</td>

        <td><input type="file" accept="*.gif"
        <td>Input File</td>
        <td><input type="file"

        <td>Input Submit</td>
        <td><input type="submit"></td>


After filling those 2 input files, what happens when you submit your form? Well, all of this content will become the body of your HTML message. But, the contents will be posted in such a way that you'll be able to parse all of it.

First things first. Let's see what's been posted:

Content-Disposition: form-data; name="input_check"

Content-Disposition: form-data; name="input_password"

Content-Disposition: form-data; name="input_text"

Content-Disposition: form-data; name="input_hidden"


Content-Disposition: form-data; name="FileItem";
Content-Type: text/plain

This file has some text in it.
It also has more than one line.

Content-Disposition: form-data; name="fileaaa";
Content-Type: image/gif

(binary content)

Notice all the inputs have been posted to the server. You can also see this just by having your upload.asp file like this:

Response.BinaryWrite Request.BinaryRead(Request.TotalBytes)

Where you see (binary content) there should be a lot of strange characters, which I've omitted because they take a lot of space.

Separating Inputs

All the text in bold like -----------------------------7d01ecf406a6 is what separates each input. Note also that in the end of the post we also have the text -----------------------------7d01ecf406a6-- but it signals the end of our post, since it ends with 2 minus signs (--). Anyway, don't forget that this strange hexadecimal number is different every time you post content this way to your IIS.

Every input appears to have the same pattern:

<hex value>CRLFContent-Disposition: form-data; name="<input
name>"CRLFCRLF<input value>CRLF

But this pattern is only valid for normal inputs, those that are not of type file. Inputs of type file have the following pattern:

<hex value>CRLFContent-Disposition: form-data; name="<input
name>"; filename="<file
path>"CRLFContent-Type: <mime-type>CRLFCRLF<input

Using some parsing techniques, it is quite easy to get each input name and respective value. Although I've done some parsing, available to you in the article code, I cannot say they are effective at all, since I've only used them to understand the potential of file uploading.


If you want to have file uploading available in your Web site, whether intranet or Internet (although I prefer to use only in Intranet servers), you can build it all by yourself.

You can build your own ISAPI DLL; You can build your own COM/MTS DLL;
You can have your file upload transactional;
You don't need to have a directory with write permissions;
You can even deal with all your upload content only in ASP code (example appears in the article code).

About the Author

Tiago Halm is from Portugal. He is a project manager and team leader in a financial institution called BPI (http://www.bancobpi.pt). He has also been a program/product manager at an Internet/Multimedia company called Neuronio (http://www.neuronio.pt), handling projects for Telecel, Compaq, and Expresso. He can be reached at thalm@hotmail.pt and at thalm@londonoffice.com.



  • There are no comments yet. Be the first to comment!

Leave a Comment
  • Your email address will not be published. All fields are required.

Top White Papers and Webcasts

  • With applications supporting your key customer interactions and business functions, all aspects of your IT infrastructure must be scrutinized – including your colocation provider. Read Six Important Considerations When Choosing a Colocation Provider now and discover the right questions to ask.

  • Live Event Date: May 13, 2105 @ 1:00 p.m. ET / 10:00 a.m. PT Your data is a valuable asset that can quickly transform into a liability when breached. Organizations often become hung up on combating external breaches, while the insider threat doesn't get the attention it deserves. To manage both external and internal threats, new approaches to security are required, particularly in regards to authorized internal users who have legitimate access to sensitive information. Join TITUS and a guest speaker from …

Most Popular Programming Stories

More for Developers

RSS Feeds

Thanks for your registration, follow us on our social networks to keep up-to-date