Working With Files Above Site's Root Directory

Discussion in 'ASP .Net' started by Jerry, Dec 23, 2004.

  1. Jerry

    Jerry Guest

    I'm having just a bit of trouble wrapping my brain around the task of
    working with folders that are above the site's root folder.

    I let users upload photos (.jpg/.gif files) which can subsequently be viewed
    on the site's pages. My hosting provider is requiring that any files my Web
    app writes get written to a folder that is above the app's root folder (for
    security purposes).

    When writing the files I understand how to use MapPath to get the physical
    path to the destination folder. So I think I'm okay on the uploading part.

    But what I'm kind of hung up on is how to get my the aspx pages (<IMG
    src=...>) to refer to the files in that folder. I'm dynamically assigning
    the value of the src= property of IMG controls.

    Do I need to create a virtual folder in the site? Is that the solution? Is
    there another/better way? If I create a virtual folder, can I then ditch the
    use of MapPath for uploading the files? Suppose I get all this to work with
    a virtual folder, then haven't we totally defeated the whole point of
    placing the folder above the site root (for security purposes)?

    Bottom line - what do I need to do?

    I'm kind of new Web app development, so any guidance or perspective is
    greatly appreciated.
    Jerry, Dec 23, 2004
    #1
    1. Advertising

  2. Hi Jerry,

    You wont be able to use Server.MapPath, as the file is outside of your web
    application. It is more useful to think of the file location as "outside"
    rather than "above" in this case, as the physical location of the directory
    isn't important. The fact that it is outside your web app is important.

    There are 2 kinds of directories in an ASP.Net app. One type is virtual
    directories, or web directories. These are objects in the web server, as a
    result of them having been defined as inside a web. They correspond to file
    system directories, but are completely different in most respects. File
    System directories can't have web server permissions assigned to them. File
    System directories are invisible to the web server, unless they are mapped
    to virtual directories.

    The most typical way that a virtual directory is created is "by default,"
    that is, as a result of being under the root web directory. They can also be
    created by mapping directories outside the web app to a virtual directory
    INSIDE a web app. This illustrates one of the differences between virtual
    (web) directories and file system directories. Virtual directory permissions
    pertain to HTTP requests for content. File System directory permissions
    pertain to file system access of the directory.

    So, in order to upload files, you're going to have to hard-code the full
    (file system) directory location to upload them to. Your server-side code
    can save the files to the physical file system directory that way.

    To fetch them, you will also have to use the file system location. Rather
    than creating an image tag that has a "src" attribute (which can only point
    to a URL), you need to create an ASP page or HTTP Handler to fetch the
    images from the file system, and return them, from inside your web. That ASP
    page would be the "src" attribute of the image tag, and you can add
    QueryString parameters to indicate which file it should fetch. It would set
    the Response.ContentType property to "image/jpg" (or whatever MIME type the
    image is), and save the file after opening it to the Response.OutputStream.
    IOW, it would read the QueryString, find the file system location of the
    image file, open it, and save it to the Response.OutputStream.

    An HTTPHandler would also do the trick, but is probably a bit more than you
    need for this requirement.

    --
    HTH,
    Kevin Spencer
    ..Net Developer
    Microsoft MVP
    Neither a follower
    nor a lender be.

    "Jerry" <> wrote in message
    news:...
    > I'm having just a bit of trouble wrapping my brain around the task of
    > working with folders that are above the site's root folder.
    >
    > I let users upload photos (.jpg/.gif files) which can subsequently be

    viewed
    > on the site's pages. My hosting provider is requiring that any files my

    Web
    > app writes get written to a folder that is above the app's root folder

    (for
    > security purposes).
    >
    > When writing the files I understand how to use MapPath to get the physical
    > path to the destination folder. So I think I'm okay on the uploading part.
    >
    > But what I'm kind of hung up on is how to get my the aspx pages (<IMG
    > src=...>) to refer to the files in that folder. I'm dynamically assigning
    > the value of the src= property of IMG controls.
    >
    > Do I need to create a virtual folder in the site? Is that the solution? Is
    > there another/better way? If I create a virtual folder, can I then ditch

    the
    > use of MapPath for uploading the files? Suppose I get all this to work

    with
    > a virtual folder, then haven't we totally defeated the whole point of
    > placing the folder above the site root (for security purposes)?
    >
    > Bottom line - what do I need to do?
    >
    > I'm kind of new Web app development, so any guidance or perspective is
    > greatly appreciated.
    >
    >
    Kevin Spencer, Dec 23, 2004
    #2
    1. Advertising

  3. Jerry

    Jerry Guest

    Thanks Kevin - you always give great explanations.


    "Kevin Spencer" <> wrote in message
    news:...
    > Hi Jerry,
    >
    > You wont be able to use Server.MapPath, as the file is outside of your web
    > application. It is more useful to think of the file location as "outside"
    > rather than "above" in this case, as the physical location of the

    directory
    > isn't important. The fact that it is outside your web app is important.
    >
    > There are 2 kinds of directories in an ASP.Net app. One type is virtual
    > directories, or web directories. These are objects in the web server, as a
    > result of them having been defined as inside a web. They correspond to

    file
    > system directories, but are completely different in most respects. File
    > System directories can't have web server permissions assigned to them.

    File
    > System directories are invisible to the web server, unless they are mapped
    > to virtual directories.
    >
    > The most typical way that a virtual directory is created is "by default,"
    > that is, as a result of being under the root web directory. They can also

    be
    > created by mapping directories outside the web app to a virtual directory
    > INSIDE a web app. This illustrates one of the differences between virtual
    > (web) directories and file system directories. Virtual directory

    permissions
    > pertain to HTTP requests for content. File System directory permissions
    > pertain to file system access of the directory.
    >
    > So, in order to upload files, you're going to have to hard-code the full
    > (file system) directory location to upload them to. Your server-side code
    > can save the files to the physical file system directory that way.
    >
    > To fetch them, you will also have to use the file system location. Rather
    > than creating an image tag that has a "src" attribute (which can only

    point
    > to a URL), you need to create an ASP page or HTTP Handler to fetch the
    > images from the file system, and return them, from inside your web. That

    ASP
    > page would be the "src" attribute of the image tag, and you can add
    > QueryString parameters to indicate which file it should fetch. It would

    set
    > the Response.ContentType property to "image/jpg" (or whatever MIME type

    the
    > image is), and save the file after opening it to the

    Response.OutputStream.
    > IOW, it would read the QueryString, find the file system location of the
    > image file, open it, and save it to the Response.OutputStream.
    >
    > An HTTPHandler would also do the trick, but is probably a bit more than

    you
    > need for this requirement.
    >
    > --
    > HTH,
    > Kevin Spencer
    > .Net Developer
    > Microsoft MVP
    > Neither a follower
    > nor a lender be.
    >
    > "Jerry" <> wrote in message
    > news:...
    > > I'm having just a bit of trouble wrapping my brain around the task of
    > > working with folders that are above the site's root folder.
    > >
    > > I let users upload photos (.jpg/.gif files) which can subsequently be

    > viewed
    > > on the site's pages. My hosting provider is requiring that any files my

    > Web
    > > app writes get written to a folder that is above the app's root folder

    > (for
    > > security purposes).
    > >
    > > When writing the files I understand how to use MapPath to get the

    physical
    > > path to the destination folder. So I think I'm okay on the uploading

    part.
    > >
    > > But what I'm kind of hung up on is how to get my the aspx pages (<IMG
    > > src=...>) to refer to the files in that folder. I'm dynamically

    assigning
    > > the value of the src= property of IMG controls.
    > >
    > > Do I need to create a virtual folder in the site? Is that the solution?

    Is
    > > there another/better way? If I create a virtual folder, can I then ditch

    > the
    > > use of MapPath for uploading the files? Suppose I get all this to work

    > with
    > > a virtual folder, then haven't we totally defeated the whole point of
    > > placing the folder above the site root (for security purposes)?
    > >
    > > Bottom line - what do I need to do?
    > >
    > > I'm kind of new Web app development, so any guidance or perspective is
    > > greatly appreciated.
    > >
    > >

    >
    >
    Jerry, Dec 23, 2004
    #3
  4. And Merry Christmas to you, Jerry!

    --
    Kevin Spencer
    ..Net Developer
    Microsoft MVP
    Neither a follower
    nor a lender be.

    "Jerry" <> wrote in message
    news:...
    > Thanks Kevin - you always give great explanations.
    >
    >
    > "Kevin Spencer" <> wrote in message
    > news:...
    > > Hi Jerry,
    > >
    > > You wont be able to use Server.MapPath, as the file is outside of your

    web
    > > application. It is more useful to think of the file location as

    "outside"
    > > rather than "above" in this case, as the physical location of the

    > directory
    > > isn't important. The fact that it is outside your web app is important.
    > >
    > > There are 2 kinds of directories in an ASP.Net app. One type is virtual
    > > directories, or web directories. These are objects in the web server, as

    a
    > > result of them having been defined as inside a web. They correspond to

    > file
    > > system directories, but are completely different in most respects. File
    > > System directories can't have web server permissions assigned to them.

    > File
    > > System directories are invisible to the web server, unless they are

    mapped
    > > to virtual directories.
    > >
    > > The most typical way that a virtual directory is created is "by

    default,"
    > > that is, as a result of being under the root web directory. They can

    also
    > be
    > > created by mapping directories outside the web app to a virtual

    directory
    > > INSIDE a web app. This illustrates one of the differences between

    virtual
    > > (web) directories and file system directories. Virtual directory

    > permissions
    > > pertain to HTTP requests for content. File System directory permissions
    > > pertain to file system access of the directory.
    > >
    > > So, in order to upload files, you're going to have to hard-code the full
    > > (file system) directory location to upload them to. Your server-side

    code
    > > can save the files to the physical file system directory that way.
    > >
    > > To fetch them, you will also have to use the file system location.

    Rather
    > > than creating an image tag that has a "src" attribute (which can only

    > point
    > > to a URL), you need to create an ASP page or HTTP Handler to fetch the
    > > images from the file system, and return them, from inside your web. That

    > ASP
    > > page would be the "src" attribute of the image tag, and you can add
    > > QueryString parameters to indicate which file it should fetch. It would

    > set
    > > the Response.ContentType property to "image/jpg" (or whatever MIME type

    > the
    > > image is), and save the file after opening it to the

    > Response.OutputStream.
    > > IOW, it would read the QueryString, find the file system location of the
    > > image file, open it, and save it to the Response.OutputStream.
    > >
    > > An HTTPHandler would also do the trick, but is probably a bit more than

    > you
    > > need for this requirement.
    > >
    > > --
    > > HTH,
    > > Kevin Spencer
    > > .Net Developer
    > > Microsoft MVP
    > > Neither a follower
    > > nor a lender be.
    > >
    > > "Jerry" <> wrote in message
    > > news:...
    > > > I'm having just a bit of trouble wrapping my brain around the task of
    > > > working with folders that are above the site's root folder.
    > > >
    > > > I let users upload photos (.jpg/.gif files) which can subsequently be

    > > viewed
    > > > on the site's pages. My hosting provider is requiring that any files

    my
    > > Web
    > > > app writes get written to a folder that is above the app's root folder

    > > (for
    > > > security purposes).
    > > >
    > > > When writing the files I understand how to use MapPath to get the

    > physical
    > > > path to the destination folder. So I think I'm okay on the uploading

    > part.
    > > >
    > > > But what I'm kind of hung up on is how to get my the aspx pages (<IMG
    > > > src=...>) to refer to the files in that folder. I'm dynamically

    > assigning
    > > > the value of the src= property of IMG controls.
    > > >
    > > > Do I need to create a virtual folder in the site? Is that the

    solution?
    > Is
    > > > there another/better way? If I create a virtual folder, can I then

    ditch
    > > the
    > > > use of MapPath for uploading the files? Suppose I get all this to work

    > > with
    > > > a virtual folder, then haven't we totally defeated the whole point of
    > > > placing the folder above the site root (for security purposes)?
    > > >
    > > > Bottom line - what do I need to do?
    > > >
    > > > I'm kind of new Web app development, so any guidance or perspective is
    > > > greatly appreciated.
    > > >
    > > >

    > >
    > >

    >
    >
    Kevin Spencer, Dec 23, 2004
    #4
  5. Kevin Spencer wrote:

    > Hi Jerry,
    >
    > You wont be able to use Server.MapPath, as the file is outside of your web
    > application. It is more useful to think of the file location as "outside"
    > rather than "above" in this case, as the physical location of the
    > directory isn't important. The fact that it is outside your web app is
    > important.
    >
    > There are 2 kinds of directories in an ASP.Net app. One type is virtual
    > directories, or web directories. These are objects in the web server, as a
    > result of them having been defined as inside a web. They correspond to
    > file system directories, but are completely different in most respects.
    > File System directories can't have web server permissions assigned to
    > them. File System directories are invisible to the web server, unless they
    > are mapped to virtual directories.
    >
    > The most typical way that a virtual directory is created is "by default,"
    > that is, as a result of being under the root web directory. They can also
    > be created by mapping directories outside the web app to a virtual
    > directory INSIDE a web app. This illustrates one of the differences
    > between virtual (web) directories and file system directories. Virtual
    > directory permissions pertain to HTTP requests for content. File System
    > directory permissions pertain to file system access of the directory.
    >
    > So, in order to upload files, you're going to have to hard-code the full
    > (file system) directory location to upload them to. Your server-side code
    > can save the files to the physical file system directory that way.
    >
    > To fetch them, you will also have to use the file system location. Rather
    > than creating an image tag that has a "src" attribute (which can only
    > point to a URL), you need to create an ASP page or HTTP Handler to fetch
    > the images from the file system, and return them, from inside your web.
    > That ASP page would be the "src" attribute of the image tag, and you can
    > add QueryString parameters to indicate which file it should fetch. It
    > would set the Response.ContentType property to "image/jpg" (or whatever
    > MIME type the image is), and save the file after opening it to the
    > Response.OutputStream. IOW, it would read the QueryString, find the file
    > system location of the image file, open it, and save it to the
    > Response.OutputStream.
    >
    > An HTTPHandler would also do the trick, but is probably a bit more than
    > you need for this requirement.
    >

    Beautiful explanation!
    Do you write?
    Nicole Schenk, Dec 30, 2004
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Tom
    Replies:
    1
    Views:
    3,735
    Ken Schaefer
    Dec 11, 2003
  2. Kenny
    Replies:
    1
    Views:
    315
    Patrice
    Dec 22, 2004
  3. Kenny
    Replies:
    0
    Views:
    297
    Kenny
    Dec 22, 2004
  4. Jay Sartoris
    Replies:
    1
    Views:
    431
    Tjerk Wolterink
    Oct 18, 2004
  5. Jay Sartoris
    Replies:
    1
    Views:
    527
    Tjerk Wolterink
    Oct 18, 2004
Loading...

Share This Page