What does Request.Params("dir") mean

[AAaron123]

Been reading about uploading files and many of the examples contain the
following code:

Dim currentDir As String

currentDir = Request.Params("dir")

Dim root As String = "C:\JUNK"

If currentDir Is Nothing Then

currentDir = root

End If

If Not currentDir.StartsWith(root) Then

currentDir = root

End If

I understand that Request is a way of obtaining data sent by the browser to
the server, but can't figure when there would be "dir" since the examples
never seem to be sending that.

Could you tell me how the parameter dir might be set and what it might mean
in the above context?



Thanks a lot

 

[AAaron123]

You can send any text you like in the Request.Params collection - you
can't expect to find an example of every piece of text in the world! I'm
betting you won't find any examples sending Request.Params("AAaron123")
either...

I meant the samples that does the RequestParams never sets a value but uses
it.

Could this be a posible usage of that code?

Last time it was run a cookie "dir" was set to remember which directory the
user selected.

Then the current run wants to continue with the same directory.

(But again, the sample does not save a cookie.)



Also, I'm wonering if "dir" is simply something that the developer called it
or is it something that the "system" sets.


I guess I'm afraid I'm missing something because of not knowing something,
and probably making too much of it.


Thanks




Thanks

 

[Göran Andersson]

Been reading about uploading files and many of the examples contain the
following code:

Dim currentDir As String

currentDir = Request.Params("dir")

Dim root As String = "C:\JUNK"

If currentDir Is Nothing Then

currentDir = root

End If

If Not currentDir.StartsWith(root) Then

currentDir = root

End If

I understand that Request is a way of obtaining data sent by the browser to
the server, but can't figure when there would be "dir" since the examples
never seem to be sending that.

Could you tell me how the parameter dir might be set and what it might mean
in the above context?



Thanks a lot

The code is not taken from a very good example...

You should not use the Request.Params collections. Instead you should
read from the specific collection where the value is; the
Request.Cookes, Request.ServerVariables, Request.Form or
Request.QueryString collection.

Because the Params collection is a combined collection of those
collections, you might get unexpected effects. If you read a query
string named "id" in a page, and then somewhere in the site add a cookie
with the name "id", that page will be using the cookie value instead of
the query string value. An error like that can be quite difficult to
track down...

Also, you should definitely not read the path where you store the files
from the user input without verifying it. Someone could quite easily
send a request changing the value to "c:\winnt\" and upload the file
"explorer.exe"...

 

[AAaron123]

Thanks to both. One more time. I may have just seen a light you probably
take for granted.

If I were writing a sub I would expect the root directory to be in something
like txtName.Text.

But a more general way would be to expect the user to set the value so that
the sub could get it using Request.Params. After all, he may prefer a
combobox over a textbox.\

Works even from client side to server side.

Does that make sense?

That is, is that a way developer pass data to a general purpose sub?




Thanks again

 

[Göran Andersson]

Thanks to both. One more time. I may have just seen a light you probably
take for granted.

If I were writing a sub I would expect the root directory to be in something
like txtName.Text.

But a more general way would be to expect the user to set the value so that
the sub could get it using Request.Params. After all, he may prefer a
combobox over a textbox.\

Works even from client side to server side.

Does that make sense?

That is, is that a way developer pass data to a general purpose sub?

A developer passes data to a general purpose method as a parameter. The
interface area of the method should be as small as possible, so it
should rather get all data that it needs from the parameters instead of
going out looking for data in form fields or Request collections.

A general purpose method would typically be usable from either a web
application or a windows application, or at least from different web
applications or different forms, where the field names and field types
are different. The information sent to the method should be as
non-specific as possible, that makes it easier to reuse the method.

A web application has a special situation where the input from the user
can easily be tampered with, so no part of the input can ever be trusted
completely. Validating the input is therefore the responsability of the
user interface part of the application, so the data should already be
validated when the general purpose method is called. You should for
example never send a file path from the client data straight into a
method. Actually the file path doesn't have any business being in the
browser at all, the data from the client should be something abstract
like a number or a keyword which then is translated into a file path to
use in the method.

 

[AAaron123]

I can think of no other purpose for the code as it is except as an easy way
to get a value to the sub. Guess I'm trying too hard.

Thanks

 

[AAaron123]

I found out what the Request.Params("dir") is for in the code at the bottom.

As I went through other parts of the code I got to understand the following.
Looks like it's OK to add data onto the end of the anchor's href. He was
checking for that data (the full path)

Kind of cute. Thought someone might be interested in seeing how it is done.

Dim dirName As String = Path.GetFileName(d)

sb.Append("<tr>")

sb.Append("<td><img src=images/Folder.gif>&nbsp;")

sb.Append("<a href=").Append(thisPage)

sb.Append("?dir=").Append(Server.UrlEncode(currentServerDir))

sb.Append(directorySeparatorChar)...

 

[Göran Andersson]

I found out what the Request.Params("dir") is for in the code at the bottom.

As I went through other parts of the code I got to understand the following.
Looks like it's OK to add data onto the end of the anchor's href. He was
checking for that data (the full path)

Kind of cute. Thought someone might be interested in seeing how it is done.

Dim dirName As String = Path.GetFileName(d)

sb.Append("<tr>")

sb.Append("<td><img src=images/Folder.gif>&nbsp;")

The default markup language for pages created in Visual Studio nowadays
is XHTML 1.0. That code is not valid XHTML code...

sb.Append("<a href=").Append(thisPage)

sb.Append("?dir=").Append(Server.UrlEncode(currentServerDir))

That's a query string. You read it using Request.QueryString rather than
Request.Params, for the reasons I stated in my earlier post.

sb.Append(directorySeparatorChar)...

An unencoded directory separator character has no business in an url...

 

[AAaron123]

Wow! I've seen some kludgy ASP Classic ports in my time, but that's truly
dreadful!

Obviously you'll be rewriting the app properly...

It's in a loop that loops over all the files in a directory and he makes a
anchor element for each.
I have no idea how to rewrite it.
Use a Response.write for each anchor?

Thanks

 

[AAaron123]

The default markup language for pages created in Visual Studio nowadays is
XHTML 1.0. That code is not valid XHTML code...


That's a query string. You read it using Request.QueryString rather than
Request.Params, for the reasons I stated in my earlier post.


An unencoded directory separator character has no business in an url...

That much I can fix.

Thanks

 

[AAaron123]

Absolutely not. Response.Write should not be used for this sort of thing
in ASP.NET, because you have no guarantee over where the markup will end
up when the HTML stream is rendered...

Without knowing how the app works (but from what you've already said) I
would suggest that you use the GetFiles method of the Directory class to
fetch the filespecs from the directory:
http://msdn.microsoft.com/en-us/library/07wt70x2.aspx

and then create dynamic HyperLink webcontrols for each of them. You'll
need to do this in Page_Init if you need to wire up events for them...

I can think of some reasons: What he did looks error prone and nothing gets
checked unti run time, but I'm guessing there are even more fundemental
reasons you like what you suggested better than this code. What are they?


Thanks

 

[AAaron123]

A web application has a special situation where the input from the user
can easily be tampered with, so no part of the input can ever be trusted
completely. Validating the input is therefore the responsability of the
user interface part of the application, so the data should already be
validated when the general purpose method is called. You should for
example never send a file path from the client data straight into a
method. Actually the file path doesn't have any business being in the
browser at all, the data from the client should be something abstract like
a number or a keyword which then is translated into a file path to use in
the method.

I see what you mean. I this instance the path is for a file to download so
the user could make it point to another file and download that. I suppose I
could put the paths in an array and transmit only the index. In this
instance the page is only accessible to me but it's something I'll keep in
mind.

Thanks again

 

[AAaron123]

ok thanks

The fact that this code is clearly a straight port of linear ASP Classic -
ASP.NET simply doesn't work this way...

 

[AAaron123]

The code is not taken from a very good example...

You should not use the Request.Params collections. Instead you should read
from the specific collection where the value is; the Request.Cookes,
Request.ServerVariables, Request.Form or Request.QueryString collection.

Because the Params collection is a combined collection of those
collections, you might get unexpected effects. If you read a query string
named "id" in a page, and then somewhere in the site add a cookie with the
name "id", that page will be using the cookie value instead of the query
string value. An error like that can be quite difficult to track down...

Also, you should definitely not read the path where you store the files
from the user input without verifying it. Someone could quite easily send
a request changing the value to "c:\winnt\" and upload the file
"explorer.exe"...

Want to tell you I've taken your advice and changed all my Request.Parameter
to Request.QueryString.

That was easy, but as to paths from the user that is more difficult to fix
but I think I can except for where I use
asp:FileUpload. I don't know how I can make that more secure or if there is
a need to since I control the "to" folder.



As an aside, I wish I could initialize the path in asp:FileUpload but that
appears to be impossible.



Thanks again

 

[AAaron123]

The default markup language for pages created in Visual Studio nowadays is
XHTML 1.0. That code is not valid XHTML code...


That's a query string. You read it using Request.QueryString rather than
Request.Params, for the reasons I stated in my earlier post.




An unencoded directory separator character has no business in an url...

Could someone expand on the last statement?
What should be there?

Thanks in advance