I am building an app using ASP.NET C# MVC5. You can add records to a database and these records can have images attached to them (it can be a single image for now if it makes it more complex).
I have seen some other posts on storage uploads but I don't see them working for me:
Upload File to Amazon S3
Upload files directly to Amazon S3 from ASP.NET application
How to upload a file to amazon S3 without passing it by a server?
Idea:
Upload a file (image) to Amazon S3 without the data passing through my server.
Persist any data on the form that was entered by the user (I'm happy with a post-back, modal or no-refreshing of the page)
Save a database value in a File table with the name and type of the file etc. that was uploaded (this will also be linked to the item that they are associated with)
Process:
User selects file to upload and presses upload button
File is uploaded directly to amazon (c# async method?, ajax?)
Thumbnail version is also created and uploaded to amazon using the same method? ('-thumb' is appended to filename)
Database records created with filename, amazon fileKey, fileType etc. for both files
(optional) thumbnail is then shown on-screen next to the uploader
User presses 'Save' to save the record along with the image information
When the user goes to save the item information (could be creating a new record or editing an existing one), the file information can be attached (if it isn't attached at the point of uploading the file??)
Constraints:
Avoid using client-based solution for improved app performance and accessibility across platforms (so avoid JavaScript, and definitely flash)
Minimise possibility of the user uploading a file and forgetting to save (or the browser crashing and loosing the link to the file that has been uploaded)
If I knew more about ASP.NET MVC I would have liked to have more suggestions or ideas. I wonder about using async methods or ajax calls to stop the page re-loading and loosing inputted data.
I have downloaded the Amazon SDK and built some classes around it but realised that it wasn't that useful if I'm not uploading via my app!
I took samples for client side upload from https://github.com/floatingfrisbee/amazonfileupload which was fairly useful (I managed to get it working in my app for client side uploads) but there is a lot missing from that solution to fit my problem and I would like a neat, reliable solution for my more complex problem.
Any ideas very welcome!! I'm really struggling to come up with something.
UPDATE 15.12.2016
To clarify, I would like to minimise the amount of client-side processing to the point that a low powered mobile device wouldn't struggle to process the request (obviously if the device can't handle simple image uploads then I don't need to worry).
In terms of server-side processing, the main thing I want to avoid is uploading the image via the server for bandwidth reasons, any other processing I am very happy to happen on the server.
Related
My asp.net web application is some kind of "document managment system" saving files in the file system of the server.
The stored files are shown in an asp:ListView control and are downloadable as HTTP- Download. But I also want to drag&drop them into another browser window to upload the draged file to an cloud storeage like dropbox or google drive oslt.
I did some research and I didn't find any solution for this problem. I don't know if this is even possible. Maybe someone has an idea how this could be done?
I am pretty sure you can't have a web application doing that for you because it involves having your web language interacting with your computer, to move a local file to another window or tab in the browser.
It would be similar to have Javascript accessing your local files without the user "help". That is not allowed.
Rather than doing that, why not connect to Google Drive or Dropbox API and make the upload yourself?
In the piece of code where you trigger the download, you could also trigger an upload to the desired service.
Here are the API Documentation for the mentioned services:
https://www.dropbox.com/developers/documentation/http/documentation#file_requests-create
https://developers.google.com/drive/api/v3/manage-uploads
I need to find a way to upload asynchronously multiple files.
I want to make a smtp client, User can chose files, create message and then send the mail.
I use ajaxfileupload but it create a folder witch look like c:/windows/tem/_ajaxFileUpload/[a guid]/[uploaded files]
is it possible to determine the guid and then find files to attach without saving it to an other folder.
this must be done after user click on send button.
One possible option is the HTML 5 File Api which allows client side uploads. Here is a tutorial on it http://www.html5rocks.com/en/tutorials/file/dndfiles/
I have used it in conjunction with a MVC 4 C# application, and have successfully got it to post (ajax post) file contents to an API Controller which can then be used to persist the file. While you don't mention if you are using MVC, the same should be possible using any sort of service.
Hope this helps.
I have an image upload application (C# desktop) for end users and I want to switch to the cloud(storage)(the VPS is to expensive and unlimited hosting providers don't allow image hosting scripts).
In order to do that I need to embed the login credentials inside my application (delivered to the end users) and maybe update them according to changes. So it's not a solution to me because of security reasons (cracking and upload things that aren't images).
One solution would be to host a PHP script so that my application uploads to that script (check if it's a image) and than to re-upload that image to the cloud storage. The problem is, I use the double bandwidth.
Is there any cloud hosting model that enables me that (without paying the double bandwidth or additional fees for running the PHP application or other thenology) or how to "hide" the creditals?
I have about 5000 uniqe visitors a day with about 70 users online in each moment (google analytics). I am offering a free service in a free app without adds so i have no earnings and i would really try to keep it like that with minimal hosting costs :(
Try out Google App Engine and Blobstore. It's relatively easy to use (sorry, no PHP support tho!) and is free up to a specified limit, so you can develop without having to spend.
https://developers.google.com/appengine/docs/python/blobstore/overview
How it works:
Your C# app GETs to a short Python script that simply returns a URL
that contains a random key (that Google gives your Python script)
Your C# app POSTs to that URL using an appropriate mime type.
Your C# app will be redirected to a final URL once the upload
completes. That URL will again be a Python script, which will
then record the uploaded URL (and any metadata) to prevent it from becoming orphaned.
Another advantage of using Google App Engine is that they offer image transforms (crop, scale) that will be handled on their end -- allowing you to ask for thumbnails, for example, without having to download the full sized image first.
For step 3, you could record the URL (really just the blobstore entry ID) to your main application. The point is: you don't want to lose that random key because that's the only way of retrieving the image file.
I am having a web form available to public, which has file upload capability. Now files are either saved on web server or sent out as attachment in an email. We are having restriction on size i.e 15MB and extensions of file being uploaded. Our SMTP server is on same web server. I have concern about security, as anyone can upload malicious files and can have impact on our production web server.
What are the risks I will be having by such file upload control available to public? Is there anyway someone can execute malicious script on web server by uploading malicious file.
I did some research and found out following points
If I sent out a file as an attachment in an email, this file will be stored for temporary period in Temporary ASP .Net folders, and once email is sent this will get deleted.
You can rename a file before saving them on file system.
You can save file on different location as your website
You can have some sort of real time virus check. I am not sure how you can do that. I was reading about some command line virus scan. But not sure if I really need that.
These are just few points, but I would like to know about any blind spots in file upload.
To answer your question about possible security vulnerabilities, yes you can definately create vulnerabilities in your application and for your users even if you don't save the file to the disk. But there are a few lines of defense you can take to validate.
The first is to obviously restrict the types of files that can be uploaded, you can do this with a white list and a check of the extension but don't stop there. You should also verify by looking at the contents of the file to ensure that it complies with the expected format. This can be critical as a bad guy can inject file headers into the file uploaded and use your system as a zombie for passing around his malware.
Second you should run a virus scan against the uploaded file, you can do this by using a command line to execute a local virus scanner. This is an easy thing to do with many virus scans including Trend Micro, and unless you're looking at a massive amount of file uploads then it should not be a huge tax on your server.
Ensure that you never pass paths as user submitted data (via GET or POST to download) as that can expose you to a path traversal attack. If your user needs to download the file from the browser you can create a database of where the records are stored and then create a controller or page that will fetch it based on the database record and the users access to that record, rather than provide a path which a user can control and use to get files from your server.
Ensure that the directory you will save to is not readable by the web server, this way they don't upload a malware script and then execute it from their browser via an HTTP
Ensure that you validate all user input against some anti-XSS library (Microsoft provides one http://www.microsoft.com/en-us/download/details.aspx?id=28589)
Hope that helps!
The best way is to upload them to /App_Data folder or to store them in a database as binary objects. App_Data is not readable through the web server, so this will protect you against execute and script access. An alternative to storing them in binary is to Base 64 encode them and store them in text (again either in the file system App_Data or database).
Create a proxy page to check the user has permissions to view/download the file and if so send a stream of the file to the HTTP response. This way users do not have direct access and cannot execute anything they shouldn't. You can also attach files using the SMTP classes from a stream reference.
If storing in the file system you could implement your own naming convention so that a request for the actual file is mapped to the stored version.
Virus scanning can be useful, but think of this as protecting other users that may have access to download the file rather than protecting your server.
I'm pretty noob with ASP.NET programming and i'm a bit confused on a problem that i'm facing right now.
We, as devs in my company, live in a clustered environment like the one shown in figure
Nothing really special.
You see, IIS Websites are duplicated on evry FrontEnd Servers. Business logic resides on BackEnds that are sitting, togheder with DB and NAS File system, behind a firewall.
So communication between the public space and the protected one is permitted only through particular channels, with particular requests, to particular IPs and Protocols.
Now, we were asked to build a site where the user can customize his own environment, upload images that will be dispalyed in his HomePage and other features.
In a classical configuration, a user upload an image that is written in a folder in the site root, and then the HTML refers to that image to populate whatever control to display it.
But, when a user connect to our site, the load balancer will choose one particular frontend that's not the same for evry session.
So, a user will upload his file, disconnect and then come back only to find that his image is gone, 'couse the Load Balancer has routed his request to a differnt frontend where the image does not exist.
So the need to write a piece of code that pull the file from the NAS behind the Firewall.
The upload part is stupid, and i can understand it.
My problem is:
when the user connects to his page, how i reference in the HTML an image that's not on the machine the site is running on but on a completely hidden File system?
I thought of writing a WCF that serve the image as as a byte stream, but which ASP.NET control to use on the Page to put the stream content on, and How?
I Know that asking the experts community will bring me the best way to accomplish this.
Hope this is clear enough.
Thanks so much for the replays and excuse me for the bad english form.
Instead of using your file system for User Images, i would recommend you to go for some CDN solution like Amazon S3 or some other you like. This way you don't need to take care of where the image is stored or requested from, it shall always be accessed through CDN url(given when you upload an image on CDN programmatically), where url shall be in your database.Using a CDN releives you of many concerns that you shall face while storing at your location.
Even though if you don't like to use S3 , then your option is good enough to develop a simple WCF/WEB service to upload/serve the images.