Solved

Open file from outside the web root folder

Posted on 2004-08-25
14
745 Views
Last Modified: 2008-02-01
Hi,

We have website designed in ASP and MS SQL Server 2000. We have some confidential documents which were placed outside the web root folder. For security reasons we put the documents folder out side the web.

For ex: Our web folder location : D:\Inetpub\wwwroot\xxxwebsite
            Our documents location : D:\documents

All ASP Pages are in xxxwebsite folder. I want to open the file (i.e pdf/doc/xls/etc) from D:\Documents directory using ASP page

How do I do this?

Please help on this.

Thanks,
0
Comment
Question by:AKantareddy
  • 3
  • 3
  • 2
  • +2
14 Comments
 
LVL 3

Expert Comment

by:Ayesha_K
ID: 11892287
if YOU can open your file through an application means any internet guest user can ... so that means security is as much as u have in wwwroot folder ....

you can have two solutions

1- keep you files in the database

2- copy the file you want to view in a temp folder in wwwroot ... view and after viewing ... delete the file from there

oh ... and a third solution ...

3- create a VB dll that access the PC as an admin or desktop user ... call the dll from your ASP page to open the file ... this way desktop will think that some desktop user is opening the file not the internet user.

Regards
0
 
LVL 46

Expert Comment

by:fritz_the_blank
ID: 11892297
You will have to use streaming--here is an example:

<%
Function downloadFile( strFile, strDownloadFilename )
     Dim strFilename,objStream,objFilesystem,objFilestream
     Dim intFileLength
     ' get full path of specified file
     strFilename = FullPath
     ' clear the buffer
     Response.Buffer = True
     Response.Clear

     ' create stream
     Set objStream = Server.CreateObject("ADODB.Stream")
     objStream.Open

     ' set as binary
     objStream.Type = 1

     ' check the file exists
     Set objFilesystem = Server.CreateObject("Scripting.FileSystemObject")
     if not objFilesystem.FileExists(strFilename) then
          Response.Write("<h1>Error</h1>: " & strFilename & " does not exist<p>")
          Response.End
     end if


     ' get length of file
     Set objFilestream = objFilesystem.GetFile( strFilename )
     intFilelength = objFilestream.size
 
     objStream.LoadFromFile( strFilename )
     if err then
          Response.Write("<h1>Error: </h1>" & err.Description & "<p>")
          Response.End
     end if
     
     'format strFileName
     if Len( Trim(strDownloadFilename) ) > 0 then
          strDownloadFilename = Trim( strDownloadFilename )
     else
          strDownloadFilename = objFilestream.name
     end if
'     Response.ContentType = "SENTREnet"

     ' send the headers to the users browser
     Response.AddHeader "Content-Disposition", "attachment; filename=" & strDownloadFilename
     Response.AddHeader "Content-Length", intFilelength
     Response.Charset = "UTF-8"
     dim i
      for i = 0 to objFilestream.size
            i = i + 128000
            Response.BinaryWrite(objFilestream.Read(128000))
            Response.Flush
      next

     ' output the file to the browser
     'Response.BinaryWrite objStream.Read
     'Response.Flush

     ' tidy up
     objFilestream.Close
     Set objFilestream = Nothing
End Function
%>
</HEAD>
<%
Call downloadFile( Replace( Request("FILE") ,"/","\"), Request("FILENAME") )
'Response.Write (Request("FILE")  & "----" & Request("FILENAME") )
%>
0
 
LVL 3

Expert Comment

by:dwaldner
ID: 11893181
Streaming, as FtB suggested, is your best bet.  This will ensure your security structure remains intact.

Dan
0
 

Author Comment

by:AKantareddy
ID: 11893405

I tried with ADODB.stream method which FtB mentioned

But the files are reading from the physical path (i.e. D:\documents\test.pdf).

1) My web folder directory is D:\Inetpub\wwwroot\xxxwebsite. and I want to read the file from  D:\documents\test.pdf. I tried but it does not read.
strFilename  = " D:\documents\test.pdf"

2) I placed the test.pdf file in D:\Inetpub\wwwroot\xxxwebsite. and tried with physical path.
It didn't work.
strFilename  = " D:\Inetpub\wwwroot\xxxwebsite\test.pdf"

3) I tried with Server.Mappath("test.pdf") then it worked fine.
strFilename  = "Server.Mappath("test.pdf")

But I want to read the file only from physical path since it is out side the web folder.

Thanks,
Arun
0
 
LVL 46

Expert Comment

by:fritz_the_blank
ID: 11893520
What do you get if you do:

response.write Server.Mappath("test.pdf")


FtB
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 46

Expert Comment

by:fritz_the_blank
ID: 11893545
I am asking because server.MapPath() should return a physical path, and you should be able to use that here. Let's try within the web directory first. Once we get that working, we can remove to a remote directory. I have used this in a few different applications where we had the same security concerns.

FtB
0
 
LVL 15

Expert Comment

by:joeposter649
ID: 11894885
<<I tried but it does not read. strFilename  = " D:\documents\test.pdf">>
Do you get an error?  
Does iusr_machine have premission to access the file?
0
 
LVL 3

Accepted Solution

by:
dwaldner earned 25 total points
ID: 11894942
Try this, as I have done the exact same thing, and it works fine:
<%
    file = "D:\documents\test.pdf"  
    Dim objStream
    Set objStream = Server.CreateObject("ADODB.Stream")
    objStream.Type = 1
    objStream.Open
    objStream.LoadFromFile(file)
    Response.AddHeader "Content-Disposition", "attachment;filename=""test.pdf"""
    Response.ContentType = "APPLICATION/OCTET-STREAM"                                                                                                                              
    Response.BinaryWrite objStream.Read
    objStream.Close
    Set objStream = Nothing
  %>
0
 

Author Comment

by:AKantareddy
ID: 11895687
Hi dwaldner,

Thanks for you response

I tried your code. It is not giving any error

But it displays the file download dialog box to open the file

I clicked on open button and it asked to selected from the program list

I selected open thru Adobe PDF then it opened the file

How can we open without displaying the dialog box

Thanks,
0
 
LVL 15

Assisted Solution

by:joeposter649
joeposter649 earned 25 total points
ID: 11895790
Get rid of the response.addheader and change the content type to Response.ContentType="application/pdf"
0
 

Author Comment

by:AKantareddy
ID: 11897119

Thanks,

I tried opening PDF, DOC, XLS, TXT files. They are working fine

Thank you for all

0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Hello, all! I just recently started using Microsoft's IIS 7.5 within Windows 7, as I just downloaded and installed the 90 day trial of Windows 7. (Got to love Microsoft for allowing 90 days) The main reason for downloading and testing Windows 7 is t…
Have you ever needed to get an ASP script to wait for a while? I have, just to let something else happen. Or in my case, to allow other stuff to happen while I was murdering my MySQL database with an update. The Original Issue This was written…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now