Server.MapPath - Parent Paths Disabled - Windows 2003 IIS 6 - WorkAround

[Lovely Angel]

Hi To All!

First of all sorry that I didnt post any code and even didnt reply to
any post.

The code is here:

<%
Dim rdset
Dim objConn
Set objConn = Server.CreateObject("ADODB.Connection")
objConn.Open "DRIVER={Microsoft Access Driver (*.mdb)}; DBQ=" &
Server.MapPath("../data/data.mdb")
%>

This is the structure of my files
www - rootfolder, where all main files go
www/back - where all admin files go
www/data - where mdb file is stored
www/images - where image files are stored

Now this code is for file in www/back folder.

There were two options, to get all things right.

1. Use Absolute Path : that would have solved my problem for databse,
but then there was scripts in back folder which were putting the text
data in the database(www/data) and from the forms submitted picked up
the image files to be stored in (www/images).
Now if there would have been one or two scripts it was ok, I had many
scripts for different modules.
(Bad programming on my side. Learnt something from this that I should
have another string common to all scripts which tells them where to
upload the image files)

2. Ask My Service Provider : Now there was this catch, I didnt have the
direct access with service provider. As I was just asked to build the
application and upload to the server. So I took this option out fr my
initial post.
Though the good news is, after few emails up the hierarchy of people, I
got the service provider to Enable The Parent Path.
And the comment I get from him is: "I still think you should not use
relative paths, but the absolute paths"
I dont know why he said that. Any comments on that.

Thanks to all who replied.

Love
Lovely

__________________________________

 

[joker]

I think they may be getting that information from one of the Microsoft
KB articles. Here is one on that subject.

184717 AspEnableParentPaths MetaBase Property Should Be Set To False

In that article Microsoft says "The AspEnableParentPaths property in the
MetaBase specifies whether an ASP can allow paths relative to the
current directory (using the ..\ notation). This may be a security risk.

In a security-enhanced environment, the AspEnableParentPaths property
should be set to False, but the default installation of Internet
Information Server version 4.0 sets it to True.

NOTE: Disabling ASP Parent Paths will only affect the execution of
dynamic content on .asp pages. This does not affect the server's ability
to reference static content using HTML code (whether it is called from
..htm, .html or .asp files). The following line in a default.asp would
properly display the image without returning an ASP 0131 error, even
after AspEnableParentPaths = False:
<img src="../images/logo.jpg">
"

I always us a server side include that has all the variables and the
connection string all in one include so that I can make the change only
once instead of several hundred times. If you need to connect to
several databases just make one include for each database connection
that you need.

 

[joker]

I forgot in my other post check out the following pages as it gives you
directions on how to deal with your database connection & the second one
give you reasons why it should be disabled along with how to deal with
it for server side includes, so that you don't need to use the enable
parent path.

http://www.aspfaq.com/show.asp?id=2126
http://www.aspfaq.com/show.asp?id=2412

 

[Roland Hall]

in message
: First of all sorry that I didnt post any code and even didnt reply to
: any post.
:
: The code is here:
:
: <%
: Dim rdset
: Dim objConn
: Set objConn = Server.CreateObject("ADODB.Connection")
: objConn.Open "DRIVER={Microsoft Access Driver (*.mdb)}; DBQ=" &
: Server.MapPath("../data/data.mdb")
: %>
:
: This is the structure of my files
: www - rootfolder, where all main files go
: www/back - where all admin files go
: www/data - where mdb file is stored
: www/images - where image files are stored

IMHO, your database should be below the web root. Someone could then grab
your database file if the path is even known and being in a folder called
data is probably not that difficult to guess.

www
data

instead of...
www
www/data

The former does not allow anyone to reach your database virtually.

: Now this code is for file in www/back folder.
:
: There were two options, to get all things right.
:
: 1. Use Absolute Path : that would have solved my problem for databse,
: but then there was scripts in back folder which were putting the text
: data in the database(www/data) and from the forms submitted picked up
: the image files to be stored in (www/images).
: Now if there would have been one or two scripts it was ok, I had many
: scripts for different modules.
: (Bad programming on my side. Learnt something from this that I should
: have another string common to all scripts which tells them where to
: upload the image files)

Your www as you state is your web root or http://mydomain.com/. This
implies www/data is http://mydomain.com/data/.
So, you can reference your files via virtual root paths or /data.
mydomain.com will be used by default is no domain reference is given so you
do not need to reference them as http://mydomain.com/data.

: 2. Ask My Service Provider : Now there was this catch, I didnt have the
: direct access with service provider. As I was just asked to build the
: application and upload to the server. So I took this option out fr my
: initial post.
: Though the good news is, after few emails up the hierarchy of people, I
: got the service provider to Enable The Parent Path.
: And the comment I get from him is: "I still think you should not use
: relative paths, but the absolute paths"
: I dont know why he said that. Any comments on that.

I cannot speak for your host but perhaps it is because using parent paths
can get confusing. They are based upon the current context.

If you are at www or http://mydomain.com/ then using ../data/data.mdb would
in reality be:

www
data/data.mdb

and not
www/data/data.mdb

However this presents a problem because virtually you cannot point outside
the web root, but physically you can. I don't ever use parent paths so I do
not know what the actual result would be. If this is my setup:

/ = web root
/images
/asp
/js

Then I reference my files as:
/images/myimage.jpg
/asp/myaspfile.asp
/js/myscript.js

This makes my code easier to read and specifically tells the server where to
find my files. And, if I have this:
/folder1/secondlevel/thirdlevel/fourthlevel/fifthlevel/my5thlevelfile.asp

....then that is not very practical. I would then add a variable for my
paths:

dim second, third, fourth, fifth
secondPath = "/folder1/secondlevel"
thirdPath = secondPath & "/thirdlevel"
fourthPath = thirdPath & "/fourthlevel"
fifthPath = fourthPath & "/fifthlevel"

So:

fifth & "/my5thlevelfile.asp" =
/folder1/secondlevel/thirdlevel/fourthlevel/fifthlevel/my5thlevelfile.asp

This is a ridiculous example since I usually do not go very deep in my
heirarchy. It is just to give you some alternative ideas to what you're
currently using. If I did use them it would generally be in a loop where
many files were being referenced.

HTH...

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Technet Script Center - http://www.microsoft.com/technet/scriptcenter/
WSH 5.6 Documentation - http://msdn.microsoft.com/downloads/list/webdev.asp
MSDN Library - http://msdn.microsoft.com/library/default.asp