Avatar of K Feening
K FeeningFlag for Australia asked on

Aspx href Menu going to wrong folder vb.net

Hi 

I am running see below (aspx vb.nmet)

Data for path stored in Database as ../Data/ then file name & extension

Docpath = ../Data/file.pdf works fine displays pdf file

Docpath1 = ../Data/file.txt works fine displays txt file 

Docpath2 = ../Data/file.xlsx tries to open in wrong folder

Docpath3 = ../Data/file.docx tries to open in wrong folder 

both errors go to wrong directory

what is required to run all xlsx, docx, powerpoint wave files etc 

 <li><a href="#"><i class="fa fa-book" ></i>Documents</a>
                    <div class="sub-menu-1">
                        <ul class="sub-menu" >                             <%="" %>                             <%  Dim len As Integer = DocDesc.Length                                 If len > 0 Then %>                             <li class="menu-item"><a href="YearEnd.aspx">Document Update</a></li>                             <% End If  %>                             <%  len = DocDesc.Length                                 If len > 0 Then %>                             <li class="test"><a target="_blank" href='<%=DocPath%>'><%=DocDesc%></a></li>                             <% End If  %>                            <% len = DocDesc1.Length                                If len > 0 Then %>                             <li class="Test"><a target="_blank" href='<%=DocPath1%>'><%=DocDesc1%></a></li>                             <% End If  %>                             <% len = DocDesc2.Length                                 If len > 0 Then %>                             <li class="test"><a target="_blank" href='<%=DocPath2%>'><%=DocDesc2%></a></li>                             <% End If  %>                             <% len = DocDesc3.Length                                 If len > 0 Then %>                             <li class="test"><a target="_blank" href='<%=DocPath3%>'><%=DocDesc3%></a></li>                             <% End If  %>                             <% len = DocDesc4.Length                                 If len > 0 Then %>                             <li class="test"><a target="_blank" href='<%=DocPath4%>'><%=DocDesc4%></a></li>                             <% End If  %>                             <% len = DocDesc5.Length                                 If len > 0 Then %>                             <li class="test"><a target="_blank" href='<%=DocPath5%>'><%=DocDesc5%></a></li>                             <% End If  %>                         </ul>                     </div>                 </li>

Open in new window

ASP.NETVisual Basic.NETHTML

Avatar of undefined
Last Comment
ste5an

8/22/2022 - Mon
ste5an

First of all, I would get rid of that directory traversals. They are never a good idea..

And then, why do you have repeating code? Remove this also by using the repeater control.
ASKER
K Feening

Hi ste5n thanks hadn't used repeater works better
"First of all, I would get rid of that directory traversals. They are never a good idea.. "
what do you recomment to display the xlsx docx pdf etc

I currently store the path, description, PW and type - extension

VB.code
 Dim con1 As New SqlConnection(connString)
            con1.Open()
            Dim sda As New SqlDataAdapter("Select * from DocumentControl Where PW='" & Session("PW") & "'", con1)
            Dim dt As New DataTable()
            sda.Fill(dt)
            Repeater1.DataSource = dt
       Repeater1.DataBind()

Open in new window

HTML
<li><a href="#"><i class="fa fa-book"></i>Documents</a>
                    <div class="sub-menu-1">
                        <ul class="sub-menu">
                            <%="" %>
                            <%  Dim len As Integer = DocDesc.Length
                                If len > 0 Then %>
                            <li class="menu-item"><a href="YearEnd.aspx">Document Update</a></li>
                            <% End If  %>

                            <asp:Repeater ID="Repeater1" runat="server">
                                <ItemTemplate>
                                    <div>
                                        <table>
                                             <li class="test"><a target="_blank" href='<%#Eval("DocPath")%>'><%#Eval("DocDesc")%></a></li>
                                        </table>
                                    </div>
                                </ItemTemplate>
                            </asp:Repeater>                            
                        </ul>
                    </div>
                </li>

Open in new window


ste5an

1) Start reading about OWASP, the OWASP Top 10 and especially directory traversals. This is mandatory, must-have knowledge before you start building any web site or application.

2) Review your logic. There is no need for a length test in the view. Cause it's the job of the code-behind to fill the array only with valid data. Thus filtering the length at this point.

3) Never use the asterisk in production SQL. Select only the needed columns.

4) The length test should not be necessary as it should be part of the data model. So that it is impossible to store a document path without description. The description column should be not null and have an CHECK constraint testing for length, e.g. greater 10 non-white space characters.

5) Always use parameters instead of SQL string concatenation. Cause string concatenation allows SQL injection. See OWASP again: SQL Injection.

Thus: Read OWASP first. Really, start doing it now.

So that your code-behind may look like this:

Dim connection As New SqlConnection(connString)
Dim adapter As SqlDataAdapter = new SqlDataAdapter();
Dim dataTable As New DataTable()

Dim sql As String
sql = _
    "SELECT DocDescription, DocPath " & _
    "FROM DocumentControl " & _
    "WHERE NOT DocDescription IS NULL " & _
    "AND Len(DocDescription) > 0 " & _
    "AND PW=@PW;"

connection.Open()
adapter.SelectCommand = new SqlCommand(sql, connection);
adapter.SelectCommand.Parameters.Add("@PW", SqlDbType.VarChar, 40, PW);
adapter.Fill(dataTable)
Repeater1.DataSource = dataTable
Repeater1.DataBind()

Open in new window

This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
ASKER
K Feening

ste5an Most of this wasn't explained in the online tutorials courses I did, thank you for your advice
The only security I did is to encript any passwords setup by the users.

NOTE - this is still in development and not released. I am running it on my home server and laptop only and will fix all your suggestions/advice notes before testing.

But will this correct the origional question why isn't the program running the xlsx or docx file correctly when the pdf and txt files are ok

1.. Start reading about OWASP, the OWASP Top 10 and especially directory traversals. - Will Do
have changed directory traversals  ../ to %2e%2e%2f  still has problem running xlsx and docx.

2.. The code for <%  Dim len As Integer = DocDesc.Length  If len > 0 Then %> is only to show the YearEnd.aspx if there are records in the document file, its a variable I created It's not part of the document table, I  will use a record count instead and new variable name to make it more clear.

3..  Never use the asterisk in production SQL. Select only the needed columns. I use required columns in some of the code - Will Fix the Rest

4.. So that it is impossible to store a document path without descriptionSo that it is impossible to store a document path without description - The Id, Document Path, Document Name are set to Allow Nulls - NO in the database table. I hadn't used Repeater before.

5.. Always use parameters instead of SQL string concatenation. Cause string concatenation allows SQL injection. See OWASP again: SQL Injection.- I usually do will change any versions with SQL string concatenation

Is it safe to Load Free CrashTest Security to test my project ?

ste5an

1) Your path should be absolute or relative to root. It should not contain "..". Cause this means that it is relative to the current path.

4) When the table is properly implemented, then you don't need the additional tests in the SQL statement ("NOT DocDescription IS NULL AND Len(DocDescription) > 0").

6) CrashTest Security seems to be legit and trust worthy at the first glance. But for all cloud solutions, you need to review your code first, it must not include any secrets like API credentials.
ASKER
K Feening

Thanks Ste5an
Sorry it took so long I had a surgical procedure and have not been back to my computer
I have checked absolute or relative to root. absolute - localhost:####/TestData/FutureDirections.pdf works fine
/TestData/ Test.xlsx goes to c:\Downloads folder

What am i doing / can you give me an example codefor opening the excel file or do i need to use below to open and the same for powerpoint, word etc
Dim xExcel As New Microsoft.Office.Interop.Excel.Application()
        xExcel.DisplayAlerts = False
        Dim xlWorkBook As Microsoft.Office.Interop.Excel.Workbook
        Dim xlWorkSheet As Microsoft.Office.Interop.Excel.Worksheet
        Dim range As Microsoft.Office.Interop.Excel.Range

Open in new window




Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ste5an

Can you please rephrase your probelm?

/TestData/ Test.xlsx goes to c:\Downloads folder
For security reasons, your site cannot control the users local folder. This is a browser setting.
ASKER
K Feening

I Use from a webpage localhost:####/
<asp:FileUpload ID="FileUpload1"

Open in new window

To load the path and file name from below to a table containing the name and path 
Server.MapPath("Data/")

Open in new window


        If Not FileUpload1.HasFiles Then
            Exit Sub
        End If

        Session("FileUpload1") = FileUpload1

        Dim cnt As Integer

        Dim ImageFiles As HttpFileCollection = Request.Files
        For i As Integer = 0 To ImageFiles.Count - 1
            Dim file As HttpPostedFile = ImageFiles(i)
            NewDir = Server.MapPath("Data/")
            If (Not System.IO.Directory.Exists(NewDir)) Then
                System.IO.Directory.CreateDirectory(NewDir)
            End If

            If My.Computer.FileSystem.FileExists(NewDir & ImageFiles(i).FileName) Then
                Try
                    System.IO.File.Delete(NewDir & ImageFiles(i).FileName)
                Catch
                    Select Case MsgBox("Unable to Erase File " & NewDir & ImageFiles(i).FileName & " Open in Excel", MsgBoxStyle.OkOnly + MsgBoxStyle.SystemModal, "Load")
                        Case MsgBoxResult.Ok
                            Exit Sub
                    End Select
                Finally
                End Try

            End If

            file.SaveAs(NewDir & ImageFiles(i).FileName)

            I then add then record to table in database
        Next

Open in new window

Do I have to use below to open excel
        Dim xExcel As New Microsoft.Office.Interop.Excel.Application()
        xExcel.DisplayAlerts = False
        Dim xlWorkBook As Microsoft.Office.Interop.Excel.Workbook
        Dim xlWorkSheet As Microsoft.Office.Interop.Excel.Worksheet
        Dim range As Microsoft.Office.Interop.Excel.Range
        Dim rCnt As Integer
        Dim XLCnt As Integer
        Dim ColA As Object 

Open in new window

or
How do I open and display excel word documents powerpoint from the stored path e.g c:\folder\data\file.xlsx
I hope this is what you need thanks
ste5an

Can you please rephrase your problem?
This means plain text, no code.

Cause I don't see the point in your last post either..
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
ASKER
K Feening

I have a menu using href to point to a excel file and a word document on the web servers drive
How do i display these files in a vb.net aspx web page

Basically I need an example of how to display word documents or Excel or Powerpoint in a vb.net aspx web page

Which I have expalined in all my previous text's

Do you have an answer or do I have to refrase

ASKER CERTIFIED SOLUTION
ste5an

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question