Solved

Upload image in non web accessible folder

Posted on 2004-03-30
9
309 Views
Last Modified: 2008-02-01
Hi experts,

We are developing a website where we enable users to upload images on our server. Right now I am storing the image in our database, without having an actual copy of it on our server. However, for creating the proofs, the customer needs the actual jpg/gif files.

The web hosting company only has ASP SimpleUpload installed, and they don't allow anonymous uploads to the server. They did mention that we could use a non web accessible folder, upload our images there, and later on move that image to the desired folder.

I just wanted to know a little more about what non web accessible folders are, how they provide the security over other folders, and how I can use them in my situation.

Would this code work to upload the file to the folder?
Dim File
  For Each File In MyUploader.Files.Items
    File.SaveToDisk Server.Mappath("../uploadimage") 'to store image in uploadimage folder
  Next

And then to move the file, I could use
<%
Dim fso

set fso = Server.CreateObject("Scripting.FileSystemObject")
fso.MoveFile "C:\source.txt", "C:\anotherfolder\source.txt"

Set fso = Nothing
%>

Do I really need to use ASP Simple Upload, aor do I need to ask for other components?

Thanks in advance

0
Comment
Question by:poshlivin
  • 4
  • 4
9 Comments
 
LVL 28

Assisted Solution

by:sybe
sybe earned 50 total points
ID: 10714284
Dim File

For Each File In MyUploader.Files.Items
    File.SaveToDisk "C:\temp"  
Next
0
 
LVL 11

Accepted Solution

by:
mouatts earned 250 total points
ID: 10715100
A non web accessible fold is more secure than a web accessible one because it is out side of the root/home directory of the web server and therefore it is impossible for someone to type a URL in to a browser ro get to the directory even with ../ etc in it. For this same reason commands such as server.mappath will never work with it (the use in your example is fine).

For example if the server root is set to d:\websites\www then d:\websites\data is inaccessible (you can't use ../data in a URL because so far as the server is concerned there is no where to go above www.

The gist of your code (or Sybes) should be fine but I question slightly what your host is saying about not allowing anonymous uploads. I guess they could be saying that none of the directories within you site will have write access from the webserver. In which case Sybes code would work but yours wouldn't. I am assuming this as opposed to something more sophisicated like restricting access to the component its self to a non anonymous account (I can't quite get my head around that but I suspect that it can be done).

If I am correct in this assumption then any upload component or the ADO Stream method of uploading (and these are you onbly choices) is going to be similarly restricted.

If you've got a working component then you may as well use it.

HTH
Steve


0
 

Author Comment

by:poshlivin
ID: 10715360
Thanks for the info. There is a little more i want to clarify - would my ASP pages be able to upload into the non web accessible folder?

If so, I guess Sybe's code would work right? And I should also be able to move from that folder onto my website folder, right?
0
 
LVL 11

Expert Comment

by:mouatts
ID: 10715474
If your hosts are simply not allowing any of your web accessible folders to have write access then yes you should be able to upload into the non accessible ones in the way sybes has suggested. But you will not be able to copy from there to your accessible ones with ASP because the server doesn't have write access!

You could still get to them and even display the images using the ADO Stream method I mentioned earlier to output them but it doesn't seem like a very suitable approach to be honest.

I'd suggest that you give it a test your self with the host just to check that the comment about non-accessible folders is indeed correct.

Steve
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:poshlivin
ID: 10716991
The web admin said he has restricted browser access to the folder UploadedFile, but only given write and execute permissions to it.

Would that be good enough to allow uploads?
0
 
LVL 11

Expert Comment

by:mouatts
ID: 10718129
Yes that should be ok although its a bit dodgy allowing write and execute permissions but thats his problem.

Steve
0
 

Author Comment

by:poshlivin
ID: 10718178
So now I used the code

 For Each File In MyUploader.Files.Items
    File.SaveToDisk ("UploadedFile") 'to store image in uploadimage folder
  Next

I have set a prompt to list all the file names and sizes uploaded.
Although I see those prompts, the file never gets writtten :(
0
 

Author Comment

by:poshlivin
ID: 10718617
My Mistake....
I used Server.MapPath instead of just the fiel name, and it's uploading the file alright!

Just one more question (and i am raising points on this)

How do I dynamically create a folder through ASP on my server?
Say user1 uploads an image - then I have to create a folder in his name and then move the files from the non web accessible folder to his folder. Is it possible?

Thanks
0
 
LVL 11

Expert Comment

by:mouatts
ID: 10719289
use the filesystemobject method of createfolder eg
fso.createfolder(foldername)

this will generate an error if the folder already exists so you need to check for its existence first with fso.folderexists(foldername)

HTH
Steve
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Have you ever needed to get an ASP script to wait for a while? I have, just to let something else happen. Or in my case, to allow other stuff to happen while I was murdering my MySQL database with an update. The Original Issue This was written…
I was asked about the differences between classic ASP and ASP.NET, so let me put them down here, for reference: Let's make the introductions... Classic ASP was launched by Microsoft in 1998 and dynamically generate web pages upon user interact…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now