I have a logic where user is uploading file to get insert into the database. As far as Security point is concerned, my tester told me to implement Authentication and Authorization.
I tried with below code but tester was still able to upload files.
protected void btnHotoUpload_Click(object sender, EventArgs e)
{
try
{
if (!User.Identity.IsAuthenticated)
{
// Redirect the user to the login page if not authenticated
string strMessage = "You are not registered to access this application";
ScriptManager.RegisterStartupScript(Page, Page.GetType(), "Alert", "alert('" + strMessage + "');", true);
return; // Stop execution if not authenticated
}
else
{
UploadHotoExcel();
}
}
catch (Exception ex)
{
string strErrorMsg = ex.Message.ToString() + " " + "StackTrace :" + ex.StackTrace.ToString();
}
}
UploadExcel Method
public void UploadHotoExcel()
{
string filename = Path.GetFileName(fluHotoUpload.PostedFile.FileName);
string extension = Path.GetExtension(filename);
string contentType = fluHotoUpload.PostedFile.ContentType;
HttpPostedFile file = fluHotoUpload.PostedFile;
byte[] document = new byte[file.ContentLength];
file.InputStream.Read(document, 0, file.ContentLength);
string mimeType = System.Web.MimeMapping.GetMimeMapping(filename);
var httpRequest = HttpContext.Current.Request;
var postedFile = httpRequest.Files["ctl00$MainContent$TabContainer1$tbpnlCRProposedChangeDetails$fluHotoUpload"];
if (postedFile.ContentType == "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet" || postedFile.ContentType == "application/vnd.ms-excel")
{
if (extension == ".xlsx" || extension == ".xls") // For File extension validation
{
string conStr = "";
// string filename = Path.GetFileName(fluHotoUpload.FileName);
string filenamewithoutrext = "";
filenamewithoutrext = Path.GetFileNameWithoutExtension(fluHotoUpload.FileName).ToLower();
string path = Server.MapPath("UploadHoto\\");
string filename_ = filenamewithoutrext;
if (!Directory.Exists(path)) // CHECK IF THE FOLDER EXISTS. IF NOT, CREATE A NEW FOLDER.
{
Directory.CreateDirectory(path);
}
else
{
foreach (string files in Directory.GetFiles(path))
{
File.Delete(files);
}
}
string fhotoName;
fhotoName = path + filename_ + extension;
fluHotoUpload.SaveAs(fhotoName);
HttpContext.Current.Session["ExcelFilePath"] = fhotoName;
System.Data.DataTable dtExcelRows = new System.Data.DataTable();
switch (extension)
{
case ".xls": //Excel 97-03
//conStr = System.Configuration.ConfigurationManager.ConnectionStrings["Excel03ConString"].ConnectionString;
conStr = System.Configuration.ConfigurationManager.ConnectionStrings["Excel07ConString"].ConnectionString;
break;
case ".xlsx": //Excel 07
conStr = System.Configuration.ConfigurationManager.ConnectionStrings["Excel07ConString"].ConnectionString;
break;
}
conStr = String.Format(conStr, fhotoName, "YES");
System.Data.OleDb.OleDbConnection connExcel = new System.Data.OleDb.OleDbConnection(conStr);
System.Data.OleDb.OleDbCommand cmdExcel = new System.Data.OleDb.OleDbCommand();
System.Data.OleDb.OleDbDataAdapter oda = new System.Data.OleDb.OleDbDataAdapter();
cmdExcel.Connection = connExcel;
connExcel.Open();
System.Data.DataTable dtExcelSchema = connExcel.GetOleDbSchemaTable(System.Data.OleDb.OleDbSchemaGuid.Tables, null);
System.Data.DataTable dtExcelColumnsTable = connExcel.GetSchema("Columns");
string SheetName = dtExcelSchema.Rows[0]["TABLE_NAME"].ToString().Replace('\'', ' ').Trim(); //nadeem
cmdExcel.CommandText = "SELECT * From [" + SheetName + "]";
oda.SelectCommand = cmdExcel;
oda.Fill(dtExcelRows);
dtExcelRows = dtExcelRows.Rows.Cast<DataRow>().Where(row => !row.ItemArray.All(field => field is DBNull ||
string.IsNullOrWhiteSpace(field as string))).CopyToDataTable();
dtExcelRows.AcceptChanges();
connExcel.Close();
string strInvalidSapID = "";
string strInvalidState = "";
if (!dtExcelRows.Columns.Contains("UPDATED_STATUS") && !dtExcelRows.Columns.Contains("IP_NONIP_SITE")) //Added on 9/4/2014
dtExcelRows.Columns.Add("UPDATED_STATUS", typeof(string));
dtExcelRows.Columns.Add("IP_NONIP_SITE", typeof(string));
dtExcelRows.Columns.Add("R4GSTATE_CODE", typeof(string));
dtExcelRows.Columns.Add("CR CATEGORY", typeof(string));
dtExcelRows.Columns.Add("Current Latitude", typeof(string));
dtExcelRows.Columns.Add("Current Longitude", typeof(string));
//string[] arrayRFADDPANINDIA = new string[] { "Sr No", "Site Type", "Current SAPID", "Is Replacement (Y/N)", "Latitude", "Longitude", "Replacement SAP ID", "CR Justifications", "Remarks", "UPDATED_STATUS", "IP_NONIP_SITE", "R4GSTATE_CODE", "CR CATEGORY", "Current Latitude", "Current Longitude", "PRIORITY_SITE", "USAGE_TYPE", "CONFIGMASTER_ID", "STATUS", "BUSINESS_RANKING", "COMPANY_CODE" };
//string[] arraySiteAddition = new string[] { "Sr No", "Site Type", "Current SAPID", "Is Replacement (Y/N)", "Latitude", "Longitude", "Replacement SAP ID", "CR Justifications", "Remarks", "UPDATED_STATUS", "IP_NONIP_SITE", "R4GSTATE_CODE", "CR CATEGORY", "Current Latitude", "Current Longitude" };
//string[] arraySiteDeletion = new string[] { "Sr No", "Site Type", "CR Category", "Current SAPID", "Reference SAP ID", "CR Justifications", "Remarks", "UPDATED_STATUS", "IP_NONIP_SITE", "R4GSTATE_CODE", "CR CATEGORY", "Current Latitude", "Current Longitude", "PRIORITY_SITE", "USAGE_TYPE", "CONFIGMASTER_ID", "STATUS", "BUSINESS_RANKING", "COMPANY_CODE" };
// string[] arrayRFDELPANINDIA = new string[] { "Sr No", "Site Type", "CR Category", "Current SAPID", "CR Justifications", "Remarks", "UPDATED_STATUS", "IP_NONIP_SITE", "R4GSTATE_CODE", "CR CATEGORY", "Current Latitude", "Current Longitude", "PRIORITY_SITE", "USAGE_TYPE", "CONFIGMASTER_ID", "STATUS", "BUSINESS_RANKING", "COMPANY_CODE" };
bool Structure_FLG = false;
if (ddlChangeType.SelectedValue == ConfigurationManager.AppSettings["RFSiteDelPanIndia"].ToString())
{
dtExcelRows.Columns.Add("PRIORITY_SITE", typeof(string));
dtExcelRows.Columns.Add("USAGE_TYPE", typeof(string));
dtExcelRows.Columns.Add("CONFIGMASTER_ID", typeof(string));
dtExcelRows.Columns.Add("STATUS", typeof(string));
dtExcelRows.Columns.Add("BUSINESS_RANKING", typeof(string));
dtExcelRows.Columns.Add("COMPANY_CODE", typeof(string));
//string[] arrayRFDELPANINDIA = new string[] { "Sr No", "Site Type", "CR Category", "Current SAPID", "Reference SAP ID", "CR Justifications", "Remarks", "UPDATED_STATUS", "IP_NONIP_SITE", "R4GSTATE_CODE", "CR CATEGORY", "Current Latitude", "Current Longitude", "PRIORITY_SITE", "USAGE_TYPE", "CONFIGMASTER_ID", "STATUS", "BUSINESS_RANKING", "COMPANY_CODE" };
string[] arrayRFDELPANINDIA = new string[] { "Sr No", "Site Type", "CR Category", "Current SAPID", "Reference SAP ID", "SCOPE_CATEGORY", "BACKHAULMEDIA", "PHASE", "CR Justifications", "Remarks", "UPDATED_STATUS", "IP_NONIP_SITE", "R4GSTATE_CODE", "CR CATEGORY", "Current Latitude", "Current Longitude", "PRIORITY_SITE", "USAGE_TYPE", "CONFIGMASTER_ID", "STATUS", "BUSINESS_RANKING", "COMPANY_CODE" };
for (int l = 0; l < dtExcelRows.Columns.Count; l++)
{
if (dtExcelRows.Columns[l].ColumnName != arrayRFDELPANINDIA[l])
{
Structure_FLG = false;
string strMessage = "Please upload file as per format downloaded";
ScriptManager.RegisterStartupScript(Page, Page.GetType(), "Alert", "alert('" + strMessage + "');", true);
break;
}
else
{
Structure_FLG = true;
continue;
}
}
if (Structure_FLG == true)
{
ValidCRFileUpload(dtExcelRows);
}
else
{
string strMessage = "Please upload valid excel";
ScriptManager.RegisterStartupScript(Page, Page.GetType(), "Alert", "alert('" + strMessage + "');", true);
}
}
else if (ddlChangeType.SelectedValue == ConfigurationManager.AppSettings["RFSiteAddPanIndia"].ToString())
{
dtExcelRows.Columns.Add("PRIORITY_SITE", typeof(string));
dtExcelRows.Columns.Add("USAGE_TYPE", typeof(string));
dtExcelRows.Columns.Add("CONFIGMASTER_ID", typeof(string));
dtExcelRows.Columns.Add("STATUS", typeof(string));
dtExcelRows.Columns.Add("BUSINESS_RANKING", typeof(string));
dtExcelRows.Columns.Add("COMPANY_CODE", typeof(string));
string[] arrayRFADDPANINDIA = new string[] { "Sr No", "Site Type", "Current SAPID", "LATITUDE", "LONGITUDE", "Is Replacement (Y/N)", "SCOPE_CATEGORY", "BACKHAULMEDIA", "PHASE", "Replacement SAP ID", "SITE_TYPE", "CR Justifications", "Remarks", "UPDATED_STATUS", "IP_NONIP_SITE", "R4GSTATE_CODE", "CR CATEGORY", "Current Latitude", "Current Longitude", "PRIORITY_SITE", "USAGE_TYPE", "CONFIGMASTER_ID", "STATUS", "BUSINESS_RANKING", "COMPANY_CODE" };
dtExcelRows.Columns["Site Category(Coverage/Capacity)"].ColumnName = "Site Type";
for (int m = 0; m < dtExcelRows.Columns.Count; m++)
{
if (dtExcelRows.Columns[m].ColumnName != arrayRFADDPANINDIA[m])
{
Structure_FLG = false;
string strMessage = "Please upload file as per format downloaded";
ScriptManager.RegisterStartupScript(Page, Page.GetType(), "Alert", "alert('" + strMessage + "');", true);
break;
}
else
{
Structure_FLG = true;
continue;
}
}
if (Structure_FLG == true)
{
//ValidCRFileUpload(dtExcelRows);
ValidCRFileUploadSiteAddition(dtExcelRows);
}
else
{
string strMessage = "Please upload valid excel";
ScriptManager.RegisterStartupScript(Page, Page.GetType(), "Alert", "alert('" + strMessage + "');", true);
}
}
else if (ddlChangeType.SelectedValue == ConfigurationManager.AppSettings["RFSiteAddition"].ToString())
{
dtExcelRows.Columns.Add("PRIORITY_SITE", typeof(string));
dtExcelRows.Columns.Add("USAGE_TYPE", typeof(string));
dtExcelRows.Columns.Add("CONFIGMASTER_ID", typeof(string));
dtExcelRows.Columns.Add("STATUS", typeof(string));
dtExcelRows.Columns.Add("BUSINESS_RANKING", typeof(string));
dtExcelRows.Columns.Add("COMPANY_CODE", typeof(string));
string[] arraySiteAddition = new string[] { "Sr No", "Site Type", "Current SAPID", "LATITUDE", "LONGITUDE", "Is Replacement (Y/N)", "SCOPE_CATEGORY", "BACKHAULMEDIA", "PHASE", "Replacement SAP ID", "SITE_TYPE", "CR Justifications", "Remarks", "UPDATED_STATUS", "IP_NONIP_SITE", "R4GSTATE_CODE", "CR CATEGORY", "Current Latitude", "Current Longitude", "PRIORITY_SITE", "USAGE_TYPE", "CONFIGMASTER_ID", "STATUS", "BUSINESS_RANKING", "COMPANY_CODE" };
dtExcelRows.Columns["Site Category(Coverage/Capacity)"].ColumnName = "Site Type";
for (int p = 0; p < dtExcelRows.Columns.Count; p++)
{
if (dtExcelRows.Columns[p].ColumnName != arraySiteAddition[p])
{
Structure_FLG = false;
string strMessage = "Please upload file as per format downloaded";
ScriptManager.RegisterStartupScript(Page, Page.GetType(), "Alert", "alert('" + strMessage + "');", true);
break;
}
else
{
Structure_FLG = true;
continue;
}
}
if (Structure_FLG == true)
{
ValidCRFileUploadSiteAddition(dtExcelRows);
}
else
{
string strMessage = "Please upload valid excel";
ScriptManager.RegisterStartupScript(Page, Page.GetType(), "Alert", "alert('" + strMessage + "');", true);
}
}
else if (ddlChangeType.SelectedValue == ConfigurationManager.AppSettings["RFSiteDeletion"].ToString())
{
dtExcelRows.Columns.Add("PRIORITY_SITE", typeof(string));
dtExcelRows.Columns.Add("USAGE_TYPE", typeof(string));
dtExcelRows.Columns.Add("CONFIGMASTER_ID", typeof(string));
dtExcelRows.Columns.Add("STATUS", typeof(string));
dtExcelRows.Columns.Add("BUSINESS_RANKING", typeof(string));
dtExcelRows.Columns.Add("COMPANY_CODE", typeof(string));
//string[] arraySiteDeletion = new string[] { "Sr No", "Site Type", "CR Category", "Current SAPID", "Reference SAP ID", "CR Justifications", "Remarks", "UPDATED_STATUS", "IP_NONIP_SITE", "R4GSTATE_CODE", "CR CATEGORY", "Current Latitude", "Current Longitude", "PRIORITY_SITE", "USAGE_TYPE", "CONFIGMASTER_ID", "STATUS", "BUSINESS_RANKING", "COMPANY_CODE" };
string[] arraySiteDeletion = new string[] { "Sr No", "Site Type", "CR Category", "Current SAPID", "Reference SAP ID", "SCOPE_CATEGORY", "BACKHAULMEDIA", "PHASE", "CR Justifications", "Remarks", "UPDATED_STATUS", "IP_NONIP_SITE", "R4GSTATE_CODE", "CR CATEGORY", "Current Latitude", "Current Longitude", "PRIORITY_SITE", "USAGE_TYPE", "CONFIGMASTER_ID", "STATUS", "BUSINESS_RANKING", "COMPANY_CODE" };
for (int q = 0; q < dtExcelRows.Columns.Count; q++)
{
if (dtExcelRows.Columns[q].ColumnName != arraySiteDeletion[q])
{
Structure_FLG = false;
string strMessage = "Please upload file as per format downloaded";
ScriptManager.RegisterStartupScript(Page, Page.GetType(), "Alert", "alert('" + strMessage + "');", true);
break;
}
else
{
Structure_FLG = true;
continue;
}
}
if (Structure_FLG == true)
{
ValidCRFileUpload(dtExcelRows);
}
else
{
string strMessage = "Please upload valid excel";
ScriptManager.RegisterStartupScript(Page, Page.GetType(), "Alert", "alert('" + strMessage + "');", true);
}
}
}
}
else
{
string strMessage = "Invalid Excel file. Please upload proper excel file!!!";
ScriptManager.RegisterStartupScript(Page, Page.GetType(), "Alert", "alert('" + strMessage + "');", true);
}
}
Below is my web.config change.
<authentication mode="Windows"/>
<authorization>
<deny users="?" />
</authorization>