locked
ASP .NET Image File Processing RRS feed

  • Question

  • I am not sure about the multi-user aspect of ASP .NET regarding the processing of a PNG Image file. 
    Do I have to rename the incoming file to a unique name, or does ASP .NET somehow handle this?

    Does ASP .NET automatically serialize requests so that multiple users can be executing the same web application at the same time? 

    This talks about the FileUpload server control that is offered through ASP.NET 2.0.
    http://msdn.microsoft.com/en-us/library/aa479405.aspx

    I know that I will have to validate the incoming data to make sure it is really a PNG image otherwise I will have a security leak. I know that checking the file extension is woefully inadequate validation. 

    I will be processing the image file using a DispInterface COM component, I will probably need PInvoke for this. 
    Is this still the correct .NET function to execute DispInterface COM components? 



    100% Accurate Display Screen OCR http://www.OCR4Screen.com

    • Moved by Eyal Solnik Saturday, August 23, 2014 11:41 PM Irrelevant to C#
    Saturday, August 23, 2014 1:52 PM

Answers

  • I am not sure about the multi-user aspect of ASP .NET regarding the processing of a PNG Image file. 
    Do I have to rename the incoming file to a unique name, or does ASP .NET somehow handle this?

    Does ASP .NET automatically serialize requests so that multiple users can be executing the same web application at the same time? 

    Yes, IIS, the web server on which ASP.NET applications run, handles multiple requests for you.

    But please ask any questions about ASP.NET you may have in the following forum: http://forums.asp.net

    • Marked as answer by Peter Olcott Saturday, August 23, 2014 10:50 PM
    Saturday, August 23, 2014 3:01 PM

All replies

  • I am not sure about the multi-user aspect of ASP .NET regarding the processing of a PNG Image file. 
    Do I have to rename the incoming file to a unique name, or does ASP .NET somehow handle this?

    Does ASP .NET automatically serialize requests so that multiple users can be executing the same web application at the same time? 

    Yes, IIS, the web server on which ASP.NET applications run, handles multiple requests for you.

    But please ask any questions about ASP.NET you may have in the following forum: http://forums.asp.net

    • Marked as answer by Peter Olcott Saturday, August 23, 2014 10:50 PM
    Saturday, August 23, 2014 3:01 PM
  • Asp.net doesn't handle saving files with the same name any better than you would trying to save numerous files with the same name to your computer.

    You can send as many files with a particular name, that doesn't matter until it tries to save them somewhere.

    They all go in the same place unless you do something about it in code.

    If you consider this web method from a wcf service, this is doing what the name implies:

        [DataContract]
        public class ImageUpload
        {
            [DataMember]
            public string ImageName { get; set; }
    
            [DataMember]
            public byte[] Image { get; set; }
    
            [DataMember]
            public string Folder { get; set; }
        }

    That property ImageName  will be used to save the file, it has nothing to do with the name of the file being sent.

    This code here does the actual saving:

        [AspNetCompatibilityRequirements(RequirementsMode = AspNetCompatibilityRequirementsMode.Required)]
        public class ImageUploadService : IImageUploadService
        {
            public bool Upload(ImageUpload imageUpload)
            {
                FileStream fileStream = null;
                BinaryWriter writer = null;
                string imagePath;
    
                try
                {
                    imagePath = HttpContext.Current.Server.MapPath(".")
                        + imageUpload.Folder
                        + imageUpload.ImageName;
    
                    if (imageUpload.ImageName != string.Empty)
                    {
                        fileStream = File.Open(imagePath, FileMode.Create);
                        writer = new BinaryWriter(fileStream);
                        writer.Write(imageUpload.Image);
                    }
    
                    return true;
                }
                catch (Exception)
                {
                    return false;
                }
                finally
                {
                    if (fileStream != null)
                        fileStream.Close();
                    if (writer != null)
                        writer.Close();
                }
            }

    Notice that the file will be saved in the web site /ImageUpload/

    Everyone calling that service sends their files to the same place on disk.

    .

    You can have multiple users on a web site.

    Quite how many depends on what they're all doing.

    There is a finite set of resources available to process things.

    How many concurrent users are you expecting and how many files of what size?

    You're going to check file size before you transfer?

    http://stackoverflow.com/questions/3094748/asp-net-check-file-size-before-upload

    Using Com on a web server is not a great plan unless you have a pretty light load.

    Is this internet or intranet?

    The application that code comes out of, it's only admins can upload files so checking them would be a bit pointless.  If the admins want to break the site they can do it without using a dodgy jpg.

    On other sites I prefer to decouple validation and offload file checking to a separate server.


    Hope that helps
    Please don't forget to up vote answers you like or which help you and mark one(s) which answer your question.

    Saturday, August 23, 2014 3:53 PM
  • This will be a web application available to everyone to use for free. It will be hosted on a virtual private server. The COM part provides all of the functionality and takes 2 MB, and it will need another 3 MB of RAM for data.  

    The whole purpose of this application is to let potential customers use my program before buying it such that it is impossible for them to steal it. I have 2 GB dedicated RAM. I expect zero concurrent users yet want to handle at least a dozen. The most intensive use of resources is CPU. One of the functions takes 12 CPU seconds. Most of the users will not execute this function. 

    http://msdn.microsoft.com/en-us/library/aa479405.aspx

    The ASP .NET file upload widget can be configured to refuse files larger than a certain fixed size, it defaults to 4 MB.  


    100% Accurate Display Screen OCR http://www.OCR4Screen.com

    Saturday, August 23, 2014 5:41 PM
  • You're still best validating size in the browser.

    It will make dos attack a little harder anyhow.

    Your server ought to be able to deal with that sort of load.

    .

    When you save a file, prefix the name with the user name or id or something.

    Use identity to have them log in.

    A sql ce database ought to be plenty for your user security stuff, just keep an eye on the size.


    Hope that helps
    Please don't forget to up vote answers you like or which help you and mark one(s) which answer your question.


    • Edited by Andy ONeill Saturday, August 23, 2014 5:58 PM
    Saturday, August 23, 2014 5:50 PM
  • You're still best validating size in the browser.

    It will make dos attack a little harder anyhow.

    Your server ought to be able to deal with that sort of load.

    .

    When you save a file, prefix the name with the user name or id or something.

    Use identity to have them log in.


    Hope that helps
    Please don't forget to up vote answers you like or which help you and mark one(s) which answer your question.

    I should validate the size in the browser, too, yet the user can bypass the browser check and probably will bypass the browser check in a DOS attack.  I should also probably validate that it really is a PNG file too. Buffer over-run errors can insert malicious code. 

    I don't want my users to have to login just to try the most basic functionality. I will have to use some sort of integer counter for file name, I guess.


    100% Accurate Display Screen OCR http://www.OCR4Screen.com


    Saturday, August 23, 2014 5:59 PM
  • I am not sure about the multi-user aspect of ASP .NET regarding the processing of a PNG Image file. 
    Do I have to rename the incoming file to a unique name, or does ASP .NET somehow handle this?

    Does ASP .NET automatically serialize requests so that multiple users can be executing the same web application at the same time? 

    Yes, IIS, the web server on which ASP.NET applications run, handles multiple requests for you.

    But please ask any questions about ASP.NET you may have in the following forum: http://forums.asp.net

    I could not find the ASP.NET forum anywhere on the list. 

    100% Accurate Display Screen OCR http://www.OCR4Screen.com

    Saturday, August 23, 2014 6:02 PM
  • "

    I should also probably validate that it really is a PNG file too. Buffer over-run errors can insert malicious code. 

    "

    This malicious code.

    How and where would it run?

    There will be no GDI+ processing on the server.

    At what stage are you going to validate the file?


    Hope that helps
    Please don't forget to up vote answers you like or which help you and mark one(s) which answer your question.

    Saturday, August 23, 2014 6:29 PM
  • "

    I should also probably validate that it really is a PNG file too. Buffer over-run errors can insert malicious code. 

    "

    This malicious code.

    How and where would it run?

    There will be no GDI+ processing on the server.

    At what stage are you going to validate the file?


    Hope that helps
    Please don't forget to up vote answers you like or which help you and mark one(s) which answer your question.

    If there is no GDI+ running on the server I won't be able to open the PNG file. 

    If the PNG file is malicious code then this might be possible to cause this code to execute on the server. The problem with security is that you don't know everything, and this area of ignorance might possibly be a vulnerability. 


    100% Accurate Display Screen OCR http://www.OCR4Screen.com

    Saturday, August 23, 2014 9:37 PM
  • Hello,

    You should post ASP.NET related questions at forums.asp.net.


    Regards, Eyal Shilony

    Saturday, August 23, 2014 11:40 PM
  • Hello,

    You should post ASP.NET related questions at forums.asp.net.


    Regards, Eyal Shilony

    If you REALLY want people to post to the correct forum you REALLY need to make the right forum available to be found. 

    ASP .NET did not show up on any list. 

    I looked and looked and could not find any ASP .NET forum. 

    If you search for messages about [ASP .NET] the ASP .NET forum is never mentioned.


    100% Accurate Display Screen OCR http://www.OCR4Screen.com




    Sunday, August 24, 2014 2:28 AM
  • I looked and looked and could not find any ASP .NET forum. 

    If you search for messages about [ASP .NET] the ASP .NET forum is never mentioned.

    Well, there is a sticky that I made that specifically tells you where to post it and I made it VERY clear in the title that you shouldn't post these questions in the C# forum. :)

    Unfortunately many people don't tend to read stickies, it can save people great deal of time.

    ASP.NET is a huge platform and so there are so many things it covers that to have just a single forum doesn't make sense and it fits better in the ASP.NET website.


    Regards, Eyal Shilony

    • Edited by Eyal Solnik Sunday, August 24, 2014 4:22 AM
    Sunday, August 24, 2014 4:13 AM
  • I looked and looked and could not find any ASP .NET forum. 

    If you search for messages about [ASP .NET] the ASP .NET forum is never mentioned.

    Well, there is a sticky that I made that specifically tells you where to post it and I made it VERY clear in the title that you shouldn't post these questions in the C# forum. :)

    Unfortunately many people don't tend to read stickies, it can save people great deal of time.

    ASP.NET is a huge platform and so there are so many things it covers that to have just a single forum doesn't make sense and it fits better in the ASP.NET website.


    Regards, Eyal Shilony

    I am saying that there was no way for me to know in advance that any ASP .NET group exists. When I searched for messages in all groups using these keywords [ASP .NET] no ASP .NET group came up. Every other message about ASP .NET was not posted to an ASP .NET group. 

    Microsoft needs to do much better about this and make sure that the ASP .NET group can be found in advance.


    100% Accurate Display Screen OCR http://www.OCR4Screen.com

    Sunday, August 24, 2014 2:59 PM
  • Peter,

    A simple Bing search "asp.net forums" brings up forums.asp.net as the top result.

    Not sure how much easier it could be?

    Karl


    When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer.
    My Blog: Unlock PowerShell
    My Book: Windows PowerShell 2.0 Bible
    My E-mail: -join ('6F6C646B61726C406F75746C6F6F6B2E636F6D'-split'(?<=\G.{2})'|%{if($_){[char][int]"0x$_"}})

    Monday, August 25, 2014 2:35 PM
  • Yeah, that's yet another way to get there. ;)


    Regards, Eyal Shilony

    Monday, August 25, 2014 2:45 PM
  • Peter,

    A simple Bing search "asp.net forums" brings up forums.asp.net as the top result.

    Not sure how much easier it could be?

    Karl

    Here is how easier it can be:
    1) Everyone assumes that all MSDN forums will be right here.
    2) Move the ASP .NET to right here with every other MSDN forum.
    3) Make the ASP .NET forum searchable from right here in the MSDN forum.

    Why is the ASP .NET forum somewhere else all by itself instead of right here with every other MSDN forum? 



    100% Accurate Display Screen OCR http://www.OCR4Screen.com

    Monday, August 25, 2014 3:26 PM
  • Why is the ASP .NET forum somewhere else all by itself instead of right here with every other MSDN forum?

    One forum for all Microsoft technologies is a great vision but I'd imagine that the costs and challenges are just as great.

    I think that what they should do is to guide you when you type some keywords and tell you where is the correct forum for the relevant topic.


    Regards, Eyal Shilony

    Monday, August 25, 2014 5:20 PM
  • Why is the ASP .NET forum somewhere else all by itself instead of right here with every other MSDN forum? 


    Perhaps because ASP.Net is open source.

    There is a whole legion of people who won't create an account on social.microsoft.com but don't mind being associated with open source projects.

    I remember when Microsoft was dropping newsgroups, there was much gnashing of teeth and multiple people saying they were done participating simply because they'd need a Microsoft account

    Karl


    When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer.
    My Blog: Unlock PowerShell
    My Book: Windows PowerShell 2.0 Bible
    My E-mail: -join ('6F6C646B61726C406F75746C6F6F6B2E636F6D'-split'(?<=\G.{2})'|%{if($_){[char][int]"0x$_"}})

    Monday, August 25, 2014 6:30 PM
  • Why is the ASP .NET forum somewhere else all by itself instead of right here with every other MSDN forum? 


    Perhaps because ASP.Net is open source.

    There is a whole legion of people who won't create an account on social.microsoft.com but don't mind being associated with open source projects.

    I remember when Microsoft was dropping newsgroups, there was much gnashing of teeth and multiple people saying they were done participating simply because they'd need a Microsoft account

    Karl 

    That make a lot more sense now. Before this explanation is seemed like Microsoft was hiding the ASP .NET group and then blaming and deriding people for not finding it. They could still do a very much better job of advertising it here though. 



    100% Accurate Display Screen OCR http://www.OCR4Screen.com

    Friday, August 29, 2014 12:04 PM