Reading and Writing Files from outside the web structure.In many cases you may have files that you dont want Joe Blow Web User to have access to when they visit your site. If these files are for clients only, you dont want somebody to be able to "hack" your pages an ... In many cases you may have files that you dont want Joe Blow Web User to have access to when they visit your site.
If these files are for clients only, you dont want somebody to be able to "hack" your pages and find out directory or
filename structure.
The only real way to secure these files is to store them outside the web directory.
"Doesn't this defeat the purpose of sharing files over the web", you say?"
Normally it probably would but in this case its the perfect( well almost ) scenario for securing your files.
The method I use for securing files is by using a Component to read the binary file from a directory and then write it back to the web browser.
There is also a link on the Microsoft Knowledge Base about this where I got the idea from. http://support.microsoft.com/support/kb/articles/Q193/9/98.ASP The MEAT of the Article
Ok now I will show you the code on how to do this amazing feat.
<%
'On Error Resume Next
If Not Response.isClientConnected Then
Response.end
End If
Response.buffer = true
'Specify a MIME type such as "text/html", "image/gif" or "application/pdf"
Response.contenttype = "application/msword"
'Useful in cases for unknown file types
'Response.contenttype = "application/octet-stream"
'Custom server component
Set objBinFile = Server.CreateObject("ASPBinFile.clsASPBinFile")
'Beware of cases of file name in case some systems differentiate them
mFile = "c:\inetpub\wwwroot\test\serverop.doc"
mStream = objBinFile.BinFileRead(mFile)
Response.Addheader "Content-Disposition", "inline; filename=" & "ado.pdf"
'Response.Addheader "Content-Disposition", "inline; filename=" & "serverop.doc"
Response.CacheControl = "public"
Response.binarywrite mstream
Set objBinFile = Nothing
Response.End
%>
|
As you can see the code is very small. Now there are a few things I need to point out here, just so everyone understands this.
You need to set your MIME type so that the browser knows what kind of file this is. If you are serving multiple kinds of files I would write a case statement to handle all the MIME types and for the CASE ELSE you can use octet-stream.
Octet-Stream is the catch-all datatype. If you look in your web server's properties under MIME types you will likely see a long list with MIME types and their associated applications. For Octet-Stream you will see all or *. This is because octet-stream is the straight binary and will just let you download or open the file. Kind of like writing it straight to the browser.
mFile is the variable you will need to set the path in. What I would do here is hardcode the main path into your asp page and then just Response.Write your filename into the page.
You will also need to create your instance of the BinaryRead/Write object I have created.
Below I have also included the code for the Component I wrote to handle the Binary Read portion of this article. This is a simple ActiveX Dll. Just open VB and name the Project File - ASPBinFile and the Class File - clsASPBinFile. You should be rocking and good to go after this.
Option Explicit
Function BinFileRead(ByVal inFileSpec As String) As Variant
On Error GoTo errHandler
Dim mHandle
Dim lngFileLen As Long
Dim arrData() As Byte
mHandle = FreeFile
Open inFileSpec For Binary Access Read As #mHandle
lngFileLen = FileLen(inFileSpec)
ReDim arrData(lngFileLen)
Get #mHandle, , arrData
Close #mHandle
BinFileRead = arrData
Exit Function
errHandler:
End Function
|
I have also included a compiled version of the dll and the source project files.
I hope this helps.
| DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware. |
More ASP Code Articles
More By aspfree  developerWorks - FREE Tools!
|
<a href="http://zeus.developershed.com/shonuff.php?blackbird=3853&zoneid=442&source=&dest=http%3A%2F%2Fwww.ibm.com%2Fdeveloperworks%2Fspaces%2Fjazz%3FS_TACT%3D105AGY31%26S_CMP%3DDEVSHED&ismap="><img src="http://images.devshed.com/corp/img/news/jazz01.gif" alt="developerWorks Jazz space" align="left"></a>You've heard the buzz about Jazz... want to know more about it from a developer's perspective? Check out the Jazz space on developerWorks. This space is an up-to-date resource for developers, including technical information about Jazz and products built on Jazz, like Rational Team Concert Express. The Jazz space includes content from a wide variety of sources, including links, feeds, and comments from experts.
FREE! Go There Now!
| | | |
You probably have thousands of lines of COBOL code loaded with business intelligence and being used to run your business, along with an army of developers maintaining these applications. Learn how to prepare your applications and developers so you can keep that competitive edge and move to a service-oriented architecture with the IBM Rational Enterprise Modernization solutions. Replay is available for 9 months.
FREE! Go There Now!
| | | |
Download the IBM WebSphere Portal V6.1 beta code and learn more about the rich features and enhancements in IBM WebSphere Portal V6.1. WebSphere Portal provides a composite application or business mashup framework and the advanced tooling needed to build flexible, SOA-based solutions, and scalability to meet the needs of any size organization.
FREE! Go There Now!
| | | |
Visit IBM developerWorks to download a free trial version of IBM Rational Business Developer V7.1. Rational Business Developer offers rapid and simplified development of business applications and services through Enterprise Generation Language (EGL) tools, generating Java or mainframe solutions while shielding developers from technical complexities.
FREE! Go There Now!
| | | |
Visit IBM developerWorks to download a free trial version of WebSphere Extended Deployment Compute Grid, which lets you schedule, execute, and monitor batch jobs. Because online transaction processing and batch jobs execute simultaneously on the same server resources, you can avoid costly duplication of resources. Compute Grid supports job types of Java transactional batch, compute-intensive and a new type called "native execution", which enables non-Java workloads to run on distributed end points.
FREE! Go There Now!
| | | |
Secure your Web applications with IBM Rational AppScan Standard Edition V7.7, previously known as Watchfire AppScan. This Web application security testing tool automates vulnerability assessments and scans and tests for common Web application vulnerabilities. Visit IBM developerWorks to download a free trial of IBM Rational AppScan Standard Edition V7.7.
FREE! Go There Now!
| | | |
Join this Rational Talks to You teleconference on December 4 at 1:00 pm ET to discuss how Rational Method Composer can help meet your compliance objectives. Get your questions answered!
FREE! Go There Now!
| | | |
Get a free trial download of the latest version of IBM Rational Functional Tester V7.0.1. Rational Functional Tester is an automated functional and regression testing solution for QA teams concerned with the quality of their Java, Microsoft Visual Studio .NET, and Web-based applications.
FREE! Go There Now!
| | | |
As businesses grow increasingly dependent upon Web applications, these complex entities grow more difficult to secure. Most companies equip their Web sites with firewalls, Secure Sockets Layer (SSL), and network and host security, but the majority of attacks are on applications themselves – and these technologies cannot prevent them. This paper explains what you can do to help protect your organization, and it discusses an approach for improving your organization’s Web application security.
FREE! Go There Now!
| | | |
The Eclipse community is constantly working to extend Eclipse's functionality. In this webcast, learn about some of the most important and feature-rich projects under development. From multi-language support to plug-in development, tune in to see what Eclipse is capable of now.
FREE! Go There Now!
| | | |
All FREE IBM® developerWorks Tools!
|
|
