怎么判断上传的文件是挂马文件呢？
mm.asp.jpg是吗

[解决办法]
检测上传文件的真实类型，不能靠扩展名，
例子

HTML code

<%@ Page Language="C#" %> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><script runat="server">   void Alert(string s)  {    Page.ClientScript.RegisterStartupScript(Page.GetType(), "js", "alert('" + s + "')", true);  }   protected void Button1_Click(object sender, EventArgs e)  {    saveFile();  }   protected String saveFile()  {    String MaxSize = "1024";    //最大文件大小    int imgMaxSize = Convert.ToInt32(MaxSize) * 1024 * 1024;     HttpPostedFile imgFile = FuImg.PostedFile;    if (imgFile == null || FuImg.FileName == "")    {      Alert("请选择文件。");      return "";    }    String dirPath = Server.MapPath("~/");    string saveUrl = Page.ResolveUrl("~/");    if (!System.IO.Directory.Exists(dirPath))    {      Alert("上传目录不存在。");      return "";    }     String fileName = imgFile.FileName;    String fileExt = System.IO.Path.GetExtension(fileName).ToLower();     if (imgFile.InputStream == null || imgFile.InputStream.Length > imgMaxSize)    {      Alert("上传文件大小超过限制。");      return "";    }     //验证文件格式    String fpath = IsAllowedExtension(imgFile);    if ("" == fpath)    {      Alert("图片格式不正确。");      return "";    }     String ymd = DateTime.Now.ToString("yyyyMMdd", System.Globalization.DateTimeFormatInfo.InvariantInfo);    dirPath += ymd + "/";    saveUrl = saveUrl + ymd + "/";    //判断目录是否存在    if (!System.IO.Directory.Exists(dirPath))    {      //创建目录      System.IO.Directory.CreateDirectory(dirPath);    }     String newFileName = Guid.NewGuid().ToString() + fileExt;//图片名字    String filePath = dirPath + newFileName;    System.IO.File.Move(fpath, filePath);    String fileUrl = saveUrl + newFileName;    Img.ImageUrl = fileUrl;    //ImageUrl = saveUrl + newFileName;    return fileUrl;  }   public String IsAllowedExtension(HttpPostedFile f)  {    String newFile = Server.MapPath("~/" + System.Guid.NewGuid().ToString("D") + ".tmp");    f.SaveAs(newFile);    System.IO.FileStream fs = new System.IO.FileStream(newFile, System.IO.FileMode.Open, System.IO.FileAccess.Read);    System.IO.BinaryReader r = new System.IO.BinaryReader(fs);    string fileclass = "";    byte buffer;    buffer = r.ReadByte();    fileclass = buffer.ToString();    buffer = r.ReadByte();    fileclass += buffer.ToString();    r.Close();    fs.Close();    /* 文件扩展名说明    *7173        gif    *255216      jpg    *13780       png    *6677        bmp     */    Dictionary<String, String> ftype = new Dictionary<string, string>();    //添加允许的文件类型    ftype.Add("7173", "gif");    ftype.Add("255216", "jpg");    ftype.Add("13780", "png");    ftype.Add("6677", "bmp");    if (ftype.ContainsKey(fileclass))    {      return newFile;    }    else    {      System.IO.File.Delete(newFile);      return "";    }  }</script><html xmlns="http://www.w3.org/1999/xhtml"><head id="Head1" runat="server"></head><body>  <form id="form1" runat="server">  <asp:FileUpload ID="FuImg" runat="server" />  <asp:Button ID="Button1" runat="server" OnClick="Button1_Click" Text="上传测试" />  <asp:Image ID="Img" runat="server" />  </form></body></html>