The problem with this is, that it is also perfectly simple to un-secure your database with xp_cmdshell.

In general you should use the right tools for the right tasks.

And to use xp_cmdshell to move file handling from ASP.NET to SQL Server is the wrong decision in my opinion.

Btw, there is some useful information for those that want to secure xp_cmdshell:

http://msdn2.microsoft.com/en-us/library/aa175398(SQL.80).aspx