Sunday, June 24, 2012

Validate Image Type Using Image GUID in

Vaildate image content using System.Drawing.Image class rather than image file extension in

Generally we have seen that  every web application have functionality like upload images and store that images into server. But before store images into a server there may be required to validate that image because there may be possible that user may upload malicious scripts.

So to resolve this issue , generally we will check extension of that uploaded file and deind that script file to upload on the server. But this validation is not enough to restrict upload malicious script because user will change the extension of that script and upload that file.

To Resolve this problem , we should check content of that images instead of file extension. Because if user changes file extension , content of that file never changes.

Now in this article we will see how to check content of the images and restrict user to upload malicious script using simple example. To check content of the images we will use System.Drawing.Image class.

Now first step is create simple web application in Visual Studio and Add a WebFrom. Now add one file upload control and button. Markup of your default page is look like below:

<asp:FileUpload ID="FileUpload1" runat="server" />
<asp:Button Text="Save" runat="server" ID="butSave" onclick="butSave_Click"  />

Now we need to write below code in button click to validate images.

 if (FileUpload1.HasFile){
 System.Drawing.Image image =   System.Drawing.Image.FromStream(FileUpload1.FileContent);
 string FormetType = string.Empty;

 if (image.RawFormat.Guid == System.Drawing.Imaging.ImageFormat.Tiff.Guid)
     FormetType = "TIFF";
 else if (image.RawFormat.Guid == System.Drawing.Imaging.ImageFormat.Gif.Guid)
     FormetType = "GIF";
 else if (image.RawFormat.Guid == System.Drawing.Imaging.ImageFormat.Jpeg.Guid)  
     FormetType = "JPG";
 else if (image.RawFormat.Guid == System.Drawing.Imaging.ImageFormat.Bmp.Guid)
     FormetType = "BMP";
 else if (image.RawFormat.Guid == System.Drawing.Imaging.ImageFormat.Png.Guid)
     FormetType = "PNG";
 else if (image.RawFormat.Guid == System.Drawing.Imaging.ImageFormat.Icon.Guid)
     FormetType = "ICO";
     throw new System.ArgumentException("Invalid File Type");
 lblMessage.Text = "File Formet Is:" + FormetType;
catch (System.ArgumentException exp){
  lblMessage.Text="Invalid File";
catch (Exception ex){
 lblMessage.Text = ex.Message;

In above code we will check that user uploaded any file, if uploaded then we will convert that file into image object.After convert into image object we will check that image object RawFormat.GUID to check file content. We will check and compare that GUID with ImageFormet enum.

Using this we can put some restriction that some image file types are only allowed not other than this.If user changes file extension but their RowFormet GUID’s never change it will remain same even after it’s extension changed.for example, if user changed gif file extension to jpg but it’s GUID never changed it will remain same which is in GIF.

In above example,If user upload any file other than images, it will generate ArgumentException while access it’s row formet property so here we can not allow to file other than images.

The goal of this article just show you that we can validate image using it’s content rather than it’s file extension.