"For reasons beyond my comprehension," Kristof writes, "one of my coworkers has managed to keep his job after more than eighteen months of messing about. His latest project was to build an import feature in the admin module of our web application. The idea behind the feature was that the administrators could upload a tab-delimited text file containing a list of products, and the application would insert or update the products in the database."

"Of course, the import feature required some pretty basic validation," Kristof continued. "Is it actually a text file? Is it tab delimited? Are the columns correct? And so on."

"To solve this, my colleague figured the best way was to verify that the uploaded file's name had the correct extension of .txt. It's a decent first step that one would normally code as follows."

if (System.IO.Path.GetExtension(fileName).ToLower() == "txt")
{
    // The extension is OK. Proceed with the rest of the validation
}
else
{
    // Incorrect extension. Show error message.
}

"My colleague, on the other hand, came up with this."

string InvalidExtensions = ".exe;.dll;.com;.bat;.ini;.sys;.aspx;"
   + ".asp;.php;.htw;.ida;.idq;.asp;.cer;.cdx;.asa;.htr;.idc;.shtm;"
   + ".shtml;.stm;.printer;.asax;.ascx;.ashx;.asmx;.aspx;.axd;.rem;"
   + ".soap;.config;.cs;.csproj;.vb;.vbproj;.webinfo;.licx;.resx;"
   + ".resources;.vsdisco;";

if (!InvalidExtensions.Contains(fileName.ToString().Substring(fileName.ToString().LastIndexOf("."))))
{
    // The extension is OK. Proceed with the rest of the validation
}
else
{
    // Incorrect extension. Show error message.
}

"That's right," Kristof wrote. "He put a very limited list of invalid extensions in a string, and then made sure that the extension of the uploaded file was not in that list."

He added, "when I asked my colleague what would happen if someone uploaded a .doc file or a .pdf file, he replied 'Oh yeah, you're right... I should add those to the list as well!' I was stupefied."