I have an intern working on a project that will allow users to upload PDF files to a web server. The user should *only* be allowed to upload PDF files, nothing else. The intern's method for checking is to check the "ContentType" of the file to make sure it is "application/pdf". Maybe I'm way off base here, but can't that be faked? It seems to me that that is something that is sent from the client browser when the file is uploaded and can therefore be changed. OR does ASP figure it out by itself?