I have a WebPage where I am giving the option to to Export the Form data to PDF. I am creating the PDF at run time and store the PDF in a "PDF" folder which is under my application directory. After creating the PDF with the SessionID name I Call following function to show the PDF file in the new browser window:
ResponseHelper.Redirect(Response, "~/PDF/" + Session.SessionID + ".pdf", "_Blank", "");
This PDF contains the private information related to the logged in user. Therefore, I want a way to delete this PDF file once it is shown in the browser to the user. This is because the IIS server allows whole development team to view this folder which is a security risk, and we can't disallow user to view this folder on the server.
Therefore, if I could delete this file as soon as it is loaded in the browser could be a solution of this security risk.
Can anyone suggest some better ways of deleting this file as soon as possbile from the application?
Thanks,
Praveen
what i guess is you are creating PDF file on runtime using Itext and then you save that PDF file in temp directory to show it to user... why don't you use
Response.WriteFile(PDFFILE);
this will write the whole file on the stream without saving it in temp folder.
One way is to write an ashx handler which streams the pdf to the browser, then deletes it when done.
Another, and much better way, is to simply build the PDF in memory (NOT using session) and stream it as soon as it's ready.
UPDATE
I'm doing this with a slightly modified version of iTextSharp. Basically, iTextSharp performed all of it's operations in memory, then saved the file to disk. I changed this to return the memory stream. All the code is already there, it was really just a line or two that had to change.
Then, I used a response.binarywrite to push the stream directly to the browser. viola! no files on disk.
An ashx handler is just like an aspx page, only it has one entry point and doesn't do all of the page processing garbage. It's light weight and communicates back to the browser by response.write calls.
Related
I have developed File Upload web page in ASP.NET. Now user can rename a .exe file to txt or some other extension and upload the same. I want to restrict that. How I can implement that in ASP.NET?
The only safe way to do this is to get the byte [] from the file that has been posted and examine it to determine if the file is indeed in one of the formats you allow the user to upload. You don't need to save the file, you can just get the byte[] from the HttpPostedFile object.
Other than examining the content (looking for magic numbers, for example) there isn't an infallible way to make sure that the user is not attempting to upload something that you don't allow.
I want to make an ASP script that can create a new page on the webserver and tell it what content that will be in the new .asp file.
How can i do that? :)
What you want to do is not to create a new page for each request. Instead you want to pre-create an ASP page that dynamically ouputs the a file based on the input of the user.
In your example of uploading a file to display. What you probably want to do is store the uploaded file somewhere and then create another ASP page that reads in the uploaded file and displays it using Response.binarywrite or response.write. Don't create a new ASP page for each uploaded file.
So for the sake of example, you would create an ASP script called "DisplayUploadedFile.asp" the code inside it would read in the file (wherever you are storing it on the server (for example in a DB) and then write it back out. The users would hit the same page regardless of which uploaded file they wanted to see with a parameter telling the script which to display. For example DisplayUploadedFile.asp?fileID=12
CAUTION: It is extremely dangerous security-wise to let users upload content that is displayed to other users. Don't do this unless you understand at a very high level what steps are necessary to make this functionality secure. Based on your question, I think it might be prudent to get a more senior programmer to review your solution before you publish it.
I have an ASP.NET 2 application and would like users to upload a file to be processed immediately. The file never needs to be used again, so I don't care to store it on the server as a file somewhere, which hopefully will make it more secure on our end.
Basically, they upload an excel file and I process it and display some results. I do not care to save that excel file for later.
How can I do this?
You can hold the file contents in a MemoryStream.
This will ensure it is not saved to disk.
See What is the best practice for storing a file upload to a MemoryStream (C#)? for details.
I am creating an excel report in vb.net using the office interop. When the report is completed I am saving the excel file on the C drive. The users have asked to save file anywhere they want not just the c drive. Can someone give me some code to popup an opend file dialog in asp.net?
I want the dialog to popup in a saveAs in ASP.NET. I know how to do it in win forms, but I am creating an excel report in asp.net and calling the worksheet objects SaveAs property that excepts a fileName. So right now I just hardcode a file name in there. The users want to choose a file location
I think what you want is actually rather simple.
You can't save a file to the user's computer due to security restrictions (would you want a website saving a file to your computer?)
What you need to do is:
Complete report
Save report file to location on server, IE (.../myWebsite/files/GUID/myReport.rpt)
Display link on next screen pointing to the report file
Doing this the user can right-click and save the file to wherever they want on their computer.
You can clean up these files on whatever schedule you would like.
Assuming you are actually talking about a desktop, winforms app then you can use the built in FileSaveDialog.
Official documentation is here:
http://msdn.microsoft.com/en-us/library/system.windows.forms.savefiledialog.aspx
but there are tons of tutorials explaining it out there:
http://www.google.co.uk/search?q=vb.net+savefiledialog
You can server files with the Open / Save dialog by using Response.TransmitFile().
The user is then presented with a save as dialog where they can choose the filename and the location on their computer.
You normally do this inside a HttpHandler. A simple one is described here:
http://blogs.msdn.com/petel/archive/2005/12/01/499189.aspx
I have a flash upload component I want to use to upload multiple files. I'm using it in a MVC app and what I want to happen is that the user picks the files they want to upload, it uploads them and then displays a page showing all the files they have uploaded so they can add a description and select where to save them, and then save the files.
At the moment when files are uploaded the flash component calls a controller to process the files, this bit works fine, I can get the uploaded files and do what I like with them. The problem is is that I cannot just redirect to a View once the controllers done its work, because its the flash component calling the controller, not the page and so nothing happens when you try and do that.
I had attempted to save the files in the session and then forward the user on completion of the upload using some code in the flash actionscript, this however does not work, the session always turns up null. I had also considered actually saving the files to a temp location and then on the displaying page just listing all files in the temp location, but this is then going to involve saving the files twice, once to the temp directory and then to the actual place the user wants to put them, which I assume will be slow.
Any thoughts on the best way to do this?
Is your site using cookie based authentication? If so then the flash uploader needs to include the authentication cookie when uploading otherwise the upload will be seen as coming from a new user - this would explain your null values in the session state. If you are unable to get flash to post the cookie then you'll have to identify the user within the upload URL.
You should keep session state to a minimum or even better not use is at all so storing large amounts of data such as images in it is a bad idea.
With our applications we save all uploaded files to the database and then give them a unique Guid that is then used to retrieved/display them later. Within the database images could be associated with a user and in your case be marked as just uploaded so that when you redirect the user to the additional information page you know which images to display.
but this is then going to involve
saving the files twice, once to the
temp directory and then to the actual
place the user wants to put them
In relation to where the files are saved on the server you should not be allowing the user to determine where the files are saved.