I was wondering if it is possible to insert the filename of an image on the fileupload when a webform is opened.
For example, I run the program and the fileupload already have a filename of Image_Name.jpg on it to indicate that it already has a file without clicking the Choose File Button.
No, you can't do this - it is not allowed.
I mean, if we could do this, then when you come to my site to view a cute cat picture?
Then I'll go looking around on YOUR computer, and upload a file called my banking, or my passwords or whatever.
So, you can't set the file name. And in fact, EVEN when a user goes to select a file name? when they post the page (to up-load), then you ONLY get the file name. You don't even (and can't even) get the local path name.
On the other hand, might be a smartphone, and that don't even have a drive c:, and on some tablet OS, they don't even have path names similar to windows.
So, this is 100% HANDS OFF MY computer!!!
You can't set a file name, you can't choose a file name for the user. If you could do this, then not only could you mess around and grab files form my computer?
No one would ever use the internet again - since it would be too high risk and too dangerous.
I've got a program that digs inside the Local App Data folder of another program, pulls out some files, and then pushes them to Azure Blob Storage. I've already developed the rest of the program, but the intent of the application is to be as brainless as possible for the user- just a simple double click and the files have been uploaded.
At the moment the program requires manual input to find the correct folder in Local App Data. The Problem lies in that the name of the folder isn't always completely constant.
The folder's name always starts with com.company.propelics, followed by a series of randomized numbers and characters. I've already checked and there's no way to reproduce the randomization for each user. Within that folder, the folder structure is always constant- so the program would never have an issue finding the files once the original folder is found.
Is there a way to either scan the folders in Local App Data for the subfolders that will always exist, or take what is constant (com.company.propelics) and select the folder with that in the name?
Thanks for the help
IEnumerable<string> candidates = Directory
.EnumerateDirectories(
Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData),
"com.company.propelics*");
Then
var folderPath = candidates.FirstOrDefault();
or something more complicated if there's disambiguation to perform...
In my project , i have a download button in jqgrid. When I click this button the appropriate file must be downloaded, but here is my problem; all these files come from different folders, so I cannot set a folder name in mappath. I saw different code for downloading, but in every case there has to be a folder name.
I have gound one solution for this; to bind the folder name & file name in a grid ,but there is a huge amount of data and I cannot change the database.
My question is: how can I download a file without a giving folder name?
but here my problem is all these files come different folders, so i
cannot give folder name in mappath
you can't download a file without knowing the virtual or absolute path. In your case, you want to download a file, but certainly (your code)doesn't know where it resides. more accurately, your code doesn't have a clue to provide the path of the file.
You should be able to provide a mechanism to down the file(be it keeping the file path in a DB table or a mapping of user to folder), you wont get a generic solution to your issue.
I am allowing users to upload files to my server. What possible security threats do I face and how can I eliminate them?
Let's say I am allowing users to upload images to my server either from their system or from net. Now to check even the size of these images I have to store them in my /tmp folder. Isn't it risky? How can I minimize the risk?
Also let's say I am using wget to download the images from the link that the users upload in my form. I first have to save those files in my server to check if they actually are images. Also what if a prankster gives me a URL and I end up downloading an entire website full of malware?
First of all, realize that uploading a file means that the user is giving you a lot of data in various formats, and that the user has full control over that data. That's even a concern for a normal form text field, file uploads are the same and a lot more. The first rule is: Don't trust any of it.
What you get from the user with a file upload:
the file data
a file name
a MIME type
These are the three main components of the file upload, and none of it is trustable.
Do not trust the MIME type in $_FILES['file']['type']. It's an entirely arbitrary, user supplied value.
Don't use the file name for anything important. It's an entirely arbitrary, user supplied value. You cannot trust the file extension or the name in general. Do not save the file to the server's hard disk using something like 'dir/' . $_FILES['file']['name']. If the name is '../../../passwd', you're overwriting files in other directories. Always generate a random name yourself to save the file as. If you want you can store the original file name in a database as meta data.
Never let anybody or anything access the file arbitrarily. For example, if an attacker uploads a malicious.php file to your server and you're storing it in the webroot directory of your site, a user can simply go to example.com/uploads/malicious.php to execute that file and run arbitrary PHP code on your server.
Never store arbitrary uploaded files anywhere publicly, always store them somewhere where only your application has access to them.
Only allow specific processes access to the files. If it's supposed to be an image file, only allow a script that reads images and resizes them to access the file directly. If this script has problems reading the file, it's probably not an image file, flag it and/or discard it. The same goes for other file types. If the file is supposed to be downloadable by other users, create a script that serves the file up for download and does nothing else with it.
If you don't know what file type you're dealing with, detect the MIME type of the file yourself and/or try to let a specific process open the file (e.g. let an image resize process try to resize the supposed image). Be careful here as well, if there's a vulnerability in that process, a maliciously crafted file may exploit it which may lead to security breaches (the most common example of such attacks is Adobe's PDF Reader).
To address your specific questions:
[T]o check even the size of these images I have to store them in my /tmp folder. Isn't it risky?
No. Just storing data in a file in a temp folder is not risky if you're not doing anything with that data. Data is just data, regardless of its contents. It's only risky if you're trying to execute the data or if a program is parsing the data which can be tricked into doing unexpected things by malicious data if the program contains parsing flaws.
Of course, having any sort of malicious data sitting around on the disk is more risky than having no malicious data anywhere. You never know who'll come along and do something with it. So you should validate any uploaded data and discard it as soon as possible if it doesn't pass validation.
What if a prankster gives me a url and I end up downloading an entire website full of malware?
It's up to you what exactly you download. One URL will result at most in one blob of data. If you are parsing that data and are downloading the content of more URLs based on that initial blob that's your problem. Don't do it. But even if you did, well, then you'd have a temp directory full of stuff. Again, this is not dangerous if you're not doing anything dangerous with that stuff.
1 simple scenario will be :
If you use a upload interface where there are no restrictions about the type of files allowed for upload then an attacker can upload a PHP or .NET file with malicious code that can lead to a server compromise.
refer:
http://www.acunetix.com/websitesecurity/upload-forms-threat.htm
Above link discusses the common issues
also refer:
http://php.net/manual/en/features.file-upload.php
Here are some of them:
When a file is uploaded to the server, PHP will set the variable $_FILES[‘uploadedfile’][‘type’] to the mime-type provided by the web browser the client is using. However, a file upload form validation cannot depend on this value only. A malicious user can easily upload files using a script or some other automated application that allows sending of HTTP POST requests, which allow him to send a fake mime-type.
It is almost impossible to compile a list that includes all possible extensions that an attacker can use. E.g. If the code is running in a hosted environment, usually such environments allow a large number of scripting languages, such as Perl, Python, Ruby etc, and the list can be endless.
A malicious user can easily bypass such check by uploading a file called “.htaccess”, which contains a line of code similar to the below: AddType application/x-httpd-php .jpg
There are common rules to avoid general issues with files upload:
Store uploaded files not under your website root folder - so users won't be able to rewrite your application files and directly access uploaded files (for example in /var/uploads while your app is in /var/www).
Store sanitated files names in database and physical files give name of file hash value (this also resolves issue of storing files duplicates - they'll have equal hashes).
To avoid issues with filesystem in case there are too many files in /var/uploads folder, consider to store files in folders tree like that:
file hash = 234wffqwdedqwdcs -> store it in /var/uploads/23/234wffqwdedqwdcs
common rule: /var/uploads/<first 2 hash letters>/<hash>
install nginx if you haven't done its already - it serves static like magic and its 'X-Accel-Redirect' header will allow you to serve files with permissions being checked first by custom script
I want to show image in a crystal report.
Scenario is something like this.
I have a database where my path of an image is persisting.
eg ftp://Images/1.jpg
Now i want to repeat this image in a crystal report.
When i fills my datatable it shows me complete url. When i displays this field in GridView i uses imageBox to display my image and it works for me very fine.
But when i tries to do the same with crystal reports, it starts me showing image path as it is. Now here instead of path i want an image to be displayed.
OK, so the trail of tears to show images in CR report over the web is as follows:
1) The following is assumed:
a) CR 2008 aka CR 12. I know not about earlier versions, but XIR2 (11.5) may work.
b) Web display of pictures in reports is desired, with local workstation development and preview
c) IIS, ASP.NET application, .NET 4.0
d) Crystal Reports installed correctly ( that is an entirely different discussion, but suffice it to say, you better have a folder named aspnet_client with subdirectories as follows:
**system_web
4_0_30319
crystalreportviewers12**
etc.
that is parallel to the location of the web application. There's a lot more - but not here though...
e) Images are like photos or whatever but are reasonably sized and not too huge bytes-wise.
f) Thumbnails for each image exist, or a default thumbnail file is available.
g) They are JPG, PNG, or BMP images. Otherwise, you are out of luck AFAICT. If they are documents like Word, PDF, etc. which you wish to show in the same list, you will need a thumbnail for those too. But let's stay on the image topic...
h) You have images organized into a folder hierarchy on your web server, or accessible to your web server, but in any event, accessible to the website. Let's assume they are all under a main location D:\MyDocuments
I HAVE NOT TRIED THIS REFERRING TO AN FTP SITE LIKE THE ORIGINAL QUESTION BUT I DOUBT IT WILL WORK.
2) You need a database table or other sort of repository accessible to the webserver to register your images. The DB format is flexible, but we will assume it is a list keyed to your primary domain of interest, where you have 0:N images per main item, say, pictures of a residence, or pictures of a bridge, or pictures of a home inspection. This table has either a full path to your files, or a relative path, or a folder location plus a dedicated file name column. Whatever, but they have to make a file path like:
D:\MyDocuments\folderA\folder1\area51\whatever\myfile.png
so the database holds the whole thing , or part of it, or the bits, or whatever.
3) The root folder is D:\MyDocuments when viewing reports locally/standalone/not with a browser. This is an arbitrary name but keep track of it for now.
4) You register that root folder so CR can find it. This can either be hard-wired into your reports (bad) or looked up from an INI file (ummm, OK) or in a database field (why not,since you are registering your images anyway?) or passed as a parameter to your reports that want to show pictures or document links (simple, but what happens when you deploy to some other file system?)
5) In your report that shows the pictures, and I am assuming here N / item of interest as described in (2) above, you have a picture inserted with the CR designer. Link it to some really bogus picture or a default image so you can tell if you are resolving the file names....
6) The picture thumbnail's path is retrieved from the database and assembled as necessary, with BACK SLASHES, into a file name. It will be stored in a Shared StringVar FullQualifiedThumbnailFileName (let's say) in the report and consists of the document root, which you made available to the report in step (4) and stored in a dedicated Shared StringVar DocRoot (let's say) PLUS the calculated file name. So formula field FullyQualifiedThumbnailFileName looks like:
{#DocRoot} & FolderLocationFromDB & ThumbnailFileNameFromDB or in real life:
D:\MyDocuments\folderA\folder1\area51\whatever\tn_myfile.png
7) So now you have a thumbnail file name. Drop it anywhere on your draft report so you can see what it is resolving too during design. Do the exact same thing to refer to the REAL file name and make a variable called FullyQualifiedThumbnailFileName. It should be openable with a picture viewer if it has been constructed correctly. Drop it somewhere too so you can read it and use it to test.
8) Right-click on the picture object on the report, pick Format Graphic, click the picture tab, and open the formula icon for the picture location.
Before you start whining at me please look at the assumptions at the top - I have no clue which earlier versions of CR support this, or if they do it differently.
Then, in the formula editor, enter the following:
{#FullQualifiedThumbnailFileName} which you created just a minute ago. Your thumbnail is a Windows DOS path to a local file name on the webserver or your development workstation.
9) Now add a parameter to your report, or make a formula variable, or whatever, that consists by default of the string "file://". This will be REPLACED at runtime with the httpContext.Current.Session application root but we'll get to that in a minute. I guess you could have done this earlier.... Name this WebURLRoot
10) Create a formula field called txtImageURL Anyway, the name is up to you but guess what goes here? Something like the following:
if lowercase( {#WebURLRoot} ) = "file://" THEN
{#WebURLRoot} &
REPLACE( {#txtDocumentFileFullyQualifiedName},"/","\")
else
URLENCODE( {#WebURLRoot} &
REPLACE(
{*DocumentFileNameFromYourSource*}
,"\","/") )
The appending of file name DocumentFileNameFromYourSource to WebURLRoot works for me because I have relative paths in my situation that do NOT include the DocRoot. Your situation may be different. In any event, in standalone mode, this variable should resolve to:
file://D:\MyDocuments\folderA\folder1\area51\whatever\myfile.png
where this is not a thumbnail. At runtime on the web, it should resolve to:
http://somewebhost/website/folderA/folder1/area51/whatever/myfile.png
because we are going to supply http://localhost/website to the variable WebURLRoot somehow.I did it using a parameter passed from the web application. It could be looked up or hardwired but remember, what happens if the website gets relocated?
Put {#txtImageURL} into the hyperlink calculated file name formula, and click the option to indicate that it is coming from a website on the internet AKA your local development server or whatever.
In standalone mode, the file strings in txtImageURL have backslashes. At runtime, they are set to forward slashes for the full file name. The URLEncode function from Crystal makes them nice for web purposes.
Again drop txtImageURL onto your development surface until it is straight.
11) You now have a CR RPT with
a) A variable holding the Windows root of your documents tree C:\MyDocuments, which you supplied to the report by whatever means. I store it in the database my application connects to.
b) A variable holding the Window path to your thumbnail, constructed from the thumbnail name in the database plus the document root
c) A variable holding the Windows path to your real file name, again constructed from the actual file name in the database plus the document root
d) A web site URL stem which is file:// during development and http://localhost/website/ at runtime for the website. You are passing this
e) A working URL for the image file combining the web site URL stem with the actual file.
Good so far? Grab a beer. Maybe 2.
C# changes
1) OK, so we need to tweak our world to pass the web site URL stem to a report at runtime as a parameter. You cannot do this over the web using the Crystal Reports Viewer. Assuming you have followed one of the many examples available for how to load, parameterize and show a report from a web application, and I think you can find these with Google, make sure you do this in your application somewhere. I located mine in Global.asax.cs in the Session_Start event which seems highly reasonable according to the authoer... Please note that credit is due to the referenced URL personage... :
// so Crystal can receive the APP_Path as an argument
// Code that runs when a new session is started
// http://aquesthosting.headtreez.com/doc/d9ccf4d8-1873-469e-9dca-815e5854b963
string appPath = System.Web.HttpContext.Current.Request.ApplicationPath.ToLower();
if (appPath == "/") //a site
appPath = "/";
else if (!appPath.EndsWith(#"/")) //a virtual directory i.e. in a subfolder
appPath += #"/";
Session["APP_Path"] = appPath; //stores the value to a session variable for us to use
2) Now where you create the parameters for your report, make sure to pass Session["APP_Path"] as a parameter something like this:
// START CHANGE
// this next check seems unlikely
if(! (HttpContext.Current.Session == null))
{
// pass HttpContext.Current.Session["APP_Path"].ToString() as a parameter
if (!(String.IsNullOrEmpty(HttpContext.Current.Session["APP_Path"].ToString())))// set in Global.asax.cs Start_Session
exporter.Arguments.Add(exporter.Arguments.Count, HttpContext.Current.Session["APP_Path"].ToString()); // to last parameter position
else
exporter.Arguments.Add(exporter.Arguments.Count, String.Empty); // or nothing to last parameter position
// end change
}
where exporter.Arguments holds the parameters for my reports. Your situation will doubtlessly be different. One somewhat important thing is to put this parameter either ALWAYS FIRST or ALWAYS LAST, such that other parameters are not screwed up by it. Use the very same order for parameters in the report itself. The parameters apparently associate values by name anyway but I think mish-mashing them is a bad idea and ultimately confusing.
3) So now you run your reports standalone, and when prompted for the web site URL stem you enter file://. When the same exact report is run over the web, the application sends it whatever the website stem is but something like http://localhost/website/ .
GOTCHAS:
1) During development of this, show your variables on your reports. Make sure that for the thumbnails you are using server-relative but full Windows/DOS paths always, and for the pictures, either full Windows/DOS paths during development prepended with file://
You can always hide them before production.
2) Watch out for too many slashes etc. It is easy to end up with a double slash which screws up the URLs...
3) Remember that formulas are evaluated in some sort of mystical sequence by Crystal but I understand that the Page Header is processed before the detail. I put ALL my common variables i.e. DocRoot and WebSiteRootURL there in the Page Header (or even the Report Header since they do not change), so they are quantified first, and the detail band can use them.
4) I delegated all the picture showing and listing to an embedded subreport. It shares the variables it needs using a Shared StringVar xyz approach. It is all a bit squirrelly but basically the subreport always gets its value from the container report for the common stuff (see comment 3 right above). For laying out that subreport, I made an even tinier subreport to serve as the holder for the common variables so I would not have to run the whole monstrosity.
5) These 'variable holder'reports cannot be suppressed or the values do not appear to resolve. So make them extremely tiny and borderless, then squish up the page headers or whatever to hide them. I guess the text and background could be set identical as well to further cloak them but don't do that until you are done fiddling with the layout etc. or you will have to graze around to find the itty-bitty subreport. They are your local memory variables.
6) Image/document/linked files in standalone MUST use conventional DOS/Windows file name paths (no forward slashes). These can resolve for the website but to make a hyperlink, the slashes gotta go forward as far as I can tell so assume you will have to flip-flop.
7) As a side note, I was able to relocate my documents out of the website hierarchy during development by using Junction Magic to remap ~/MyDocuments to D:\MyDocuments etc.. The web server does not appear to care that it is actually traversing D:\MyDocuments but thinks that it is in a subfolder of the website. HOWEVER, you may have to use a Virtual Directory approach - be forewarned. Or, store the documents right under the website but somehow that seems klutzy.
8) Did I mention permission problems? No, but they might bite you. Make sure the IIS_IUSR and whatever can access the files/folders etc.
9) Shouldn't this have all been much easier? Oh well, thank you anyway SAP...
NEWS BLAST -
so apparently the Request object also holds the web site URL stem. Use that if you don't want to go the route of a global.
Also, I may not have explicitly stated it, but the CR OLE object only understands Windows... not unix file name conventions. As a further consideration, path lengths have to conform.
Finally, when I show file names on the web page, I cloak both the DOS/Windows root and the website stem and just show the relative path e.g. ~/Folder/Folder/File.png so that it is not too obvious how the documents are arranged on the website - probably needlessly paranoid but also has the benefit that if the website moves users don't get bewildered.
Questions may or may not get answers. Have fun.
Here you go... (tested with VS 2013) - Working !!!
1) Ad an image to the report using insert->picture
2) Right click on image -> format object ->picture
3) Change the formula of the graphic location
ex-
"E:\tmp\wrk\s1.jpg"
You can change the path and the file name according to your requirement and conditions using the formula builder
The main problem is CrystalImageHandler.aspxonly works for the root folder (I mean: for c:\inetpub\wwwroot) So there are 2 options:
From the ISS Manager change Default Web Site-> Advanced Settings->Physical Route from %SystemDrive%\inetpub\wwwrootto YourFolderName
Move your files to %SystemDrive%\inetpub\wwwroot
So far, I found this solution. Hope it helps.
I know that if you are using the Crystal Reports included with Visual Studio, this is not supported. It will display images stored in a db field, but not from a url.
I think (but do not know for sure) that no version of Crystal supports the ftp protocol for displaying images.