If you must accept file names as input,use the full name of the file by using System.IO.Path.GetFileName.

如果您想进一步保护您的网站：

Using Code Access Security to Restrict File I/O
An administrator can restrict an application’s file I/O to its own virtual directory hierarchy by configuring the application to run with Medium trust. In this event,.NET code access security ensures that no file access is permitted outside of the application’s virtual directory hierarchy.

You configure an application to run with Medium trust by setting the element in Web.config or Machine.config.
<trust level="Medium" />