Flash uploader and ASP.net MVC - asp.net

I have a flash upload component I want to use to upload multiple files. I'm using it in a MVC app and what I want to happen is that the user picks the files they want to upload, it uploads them and then displays a page showing all the files they have uploaded so they can add a description and select where to save them, and then save the files.
At the moment when files are uploaded the flash component calls a controller to process the files, this bit works fine, I can get the uploaded files and do what I like with them. The problem is is that I cannot just redirect to a View once the controllers done its work, because its the flash component calling the controller, not the page and so nothing happens when you try and do that.
I had attempted to save the files in the session and then forward the user on completion of the upload using some code in the flash actionscript, this however does not work, the session always turns up null. I had also considered actually saving the files to a temp location and then on the displaying page just listing all files in the temp location, but this is then going to involve saving the files twice, once to the temp directory and then to the actual place the user wants to put them, which I assume will be slow.
Any thoughts on the best way to do this?

Is your site using cookie based authentication? If so then the flash uploader needs to include the authentication cookie when uploading otherwise the upload will be seen as coming from a new user - this would explain your null values in the session state. If you are unable to get flash to post the cookie then you'll have to identify the user within the upload URL.
You should keep session state to a minimum or even better not use is at all so storing large amounts of data such as images in it is a bad idea.
With our applications we save all uploaded files to the database and then give them a unique Guid that is then used to retrieved/display them later. Within the database images could be associated with a user and in your case be marked as just uploaded so that when you redirect the user to the additional information page you know which images to display.
but this is then going to involve
saving the files twice, once to the
temp directory and then to the actual
place the user wants to put them
In relation to where the files are saved on the server you should not be allowing the user to determine where the files are saved.

Related

How to make files available as a download link in asp.net?

In my asp.net website, users can upload multiple files, which reside in 'upload' folder on server's hard drive. I am saving the files by renaming them with username + original file name
Example : if I upload file 'user.text' and my code is 1000, then the file will be saved in upload folder with name '1000_user.Text'. This is for identification of file against a particular user.
Now, when admin logs in application and selects a user, he should be able to see all files uploaded by him/her. Files should be in downloadable format to him.
How can I achieve the same? I have totally no idea, how to go for it ?
This is not how you ask a question on SO. Anyway already a piece of advice :
Store your files OUTSIDE of the webroot, and use a script in your website to get the files and render it to the user. This is for security reason : if someone manages to upload a malicious file, you don't want him to be able to execute it from the web.
Store file info and upload info in a database : who uploaded what and when ? Relying on file name isn't a good idea. You could also store the file in the database eventually (as a BLOB), but I prefer the good old filesystem
I can suggest you couple of ways based on feasibility. Approach 1 - If you can make database changes, when user is uploading a file you should save dynamically generated filename against the user in database. This way when admin logs in and wants to see all the files uploaded by user, you just need to make a database query and show them in a grid. When user clicks on the file name, you can fetch the file from harddisk and allow it to download to admin.
If database change is not feasible, your task will be more difficult. You will have to query in your directory with username in all the files. You can make use of LINQ to make this task little easier to you. Once you have got all the list, show it to admin.
I would recommend you to save metadata about the file on the database (like original file name and username). Then you could use this metadata to find the files that the user have uploaded. Give the files a file name on disk that is based on a unique ID in the database table. That way a user can upload several files with the same name. Make sure that this folder is not located within you application so that they are accessible with a url for security reasons.
The most recommended way to achieve this is to use a database, it is same as a module of Gallery where a user has albums and some pictures in albums. Admin can view each user's album and pictures in the album. you have to introduce two tables in your database. I having the category information of files being uploaded (master table) and other table having the info about the files itself (details table).
The other way is to create a hierarchal folder directory for each user for file categories in your application and then recursively read the directories and fields and then list them up to show them to application users. this would be costly i guess when number of files will increase.

Script in .ASP to create new page on server

I want to make an ASP script that can create a new page on the webserver and tell it what content that will be in the new .asp file.
How can i do that? :)
What you want to do is not to create a new page for each request. Instead you want to pre-create an ASP page that dynamically ouputs the a file based on the input of the user.
In your example of uploading a file to display. What you probably want to do is store the uploaded file somewhere and then create another ASP page that reads in the uploaded file and displays it using Response.binarywrite or response.write. Don't create a new ASP page for each uploaded file.
So for the sake of example, you would create an ASP script called "DisplayUploadedFile.asp" the code inside it would read in the file (wherever you are storing it on the server (for example in a DB) and then write it back out. The users would hit the same page regardless of which uploaded file they wanted to see with a parameter telling the script which to display. For example DisplayUploadedFile.asp?fileID=12
CAUTION: It is extremely dangerous security-wise to let users upload content that is displayed to other users. Don't do this unless you understand at a very high level what steps are necessary to make this functionality secure. Based on your question, I think it might be prudent to get a more senior programmer to review your solution before you publish it.

In which folder can I store user uploaded images

I've a classified ads system on ASP.NET/c#/MS SQL, and I'm trying to figure out where to store the images that people upload when placing an ad. The ad itself is being stored in a SQL server database.
The images are now being stored in a subfolder of my webapp. It seems to work fine, however I only recently discovered a big problem. Everytime a user deletes an ad, the attached images are to be deleted as well including the folder they reside in. This leads to a restart of the asp.net application. I searched internet and found that restarting the web-app is actually intended behaviour when a subfolder is being deleted.
Obviously, I need to fix this. But how to do that? Where can I store images in such a way that:
I can remove these images including the folders they are stored in?
I can acces them using a URL (the images need to be shown in the
webpages)
Without getting the web-app being
restarted?
Any feedback is appreciated!
Paul
See this question Deleting a directory results in application restart
An other alternative would be to store the images in the DB instead.
Another option would be to put the images in a directory completely unrelated to the web site then serve the images through a scripted page or handler. It would make all of your image urls look like mydomaincom/serveimage.aspx?imageid=323422, but unless you're counting on the name somewhere that really shouldn't matter much. Obviously it would require a modification to the page that serves the images in the first place as well, but if sub directories of this unrelated directory are deleted IIS really shouldn't care at all.
maybe you can store the images in SQL (check at the filestream feature in this case)
if not, I suppose you have somewhere in a business facade class, a service class or wherever you want, a methode "DeleteAd".
This method will have to do two things :
-delete the sql data
-delete the file image
also, you may change the image store to another folder, outside the web app. You will probably end with writing a custom handler (myhandler.ashx?fileid=XX) to serve the files, or a custom route and control if you use MVC.

How should i browse an image file and save at server in asp.net

I have one requirement from client where they want to browse and save their choice Logo image in a website which i am developing.
Really i don't know how it happens and Is there any issue like security i need to consider while implementing this logic?
Please help me to solve
How user (client) will browse image file and where should i store that file in server?
Every indivisual user can browse file of different size and different name; how can i manage at server side so that image appear at right place and in right manner?
Where should i store image corresponding to user id at server; i.e. in database or file?
Is there any security issue/ folder rights when saving file at server?
Please help?
asp.net has a built in file upload control.. that should be all you need
http://msdn.microsoft.com/en-us/library/aa479405.aspx
https://web.archive.org/web/20211020140211/https://www.4guysfromrolla.com/webtech/091201-1.shtml
http://ondotnet.com/pub/a/dotnet/2002/04/01/asp.html
There are also some awesome Third Party controls that have far more power... I happen to like the RadUpload
This is all dealt with the built in controls
Not sure what you're asking in question 2
If images are user specific, then you should store them in some unique file (I personally prefer using the UniqueIdentifier of the UserID in the Membership Provider... It's harder to "crack" than an ID number (depending on how hidden these image need to be)... you could also store in the database if you need to keep the images completely away from the application so that they cannot be accessed outside of you application.
the application needs to have write permissions to the folder that your storing the images in if you choose to store in a folder instead of the database.

Securing Individual Files in ASP.NET

I have a scenario where a user will have access to a one-time-url.
When the user clicks on the URL, specific files will be available to that user.
I have many files on the site but would only like certain files to be accessible by that user.
I have though about generating an authenticated cookie and using forms based auth and applying permissions to a certain folder, but I need authorization on indiviual files. and the files will constintly be changing.
What would be the best way to give a user only access to specific files? (I won't display the other files, but I still do not want other files available if they are typed in the URL)
I would create an .ashx (handler file) and have that serve the files to the user (load into memory and then write the contents out by pushing the file to the content stream). That way the end user never has permissions to the actual files on the system but can still access them. Your code can then control when and how long each file is available to a user.
I would provide an abstraction around the actual file retrieval. That way the user never sees file name. Something like www.example.com/File.aspx?id=SOMERANDOMGUID
That RANDOMGUID could reference a file in the back end.
If you have lots of disk space, one way to accomplish this is to copy the files to a randomly-generated folder, so that the URL to a user's files is unique for each user.
I think it would be easier if your files are associated with an ID and the path is kept in the database. This way you can pull the files using the ID.

Resources