Contributing author Kent Empie combines a VB
CGI program with HTTP File Upload to securely transfer files
[Editor's Note: VB Solutions is about using Visual Basic (VB) to build a
variety of solutions to specific business problems. This column doesn't teach
you how to write VB, but how to use VB as a tool to provide quick,
easy-to-implement solutions that you can use right away.]
Many organizations need the capability to upload files from a browser to a
Web server. Although adding an FTP server can solve this problem, an FTP server
introduces extra security risks and administrative tasks. Opening up an FTP port
to the world increases your risk of unauthorized access from hackers because FTP
doesn't encrypt the user ID, password, or content of the file. In addition, the
FTP server and the Web server use two separate databases, which complicates
administration. This article, contributed by Kent Empie, presents an alternative
to FTP that solves the problem of secure file uploads using your existing NT Web
server and a Visual Basic (VB) implementation of the Common Gateway Interface
(CGI). Using a VB CGI program in combination with HTTP File Upload, you can
securely transfer files from a Web browser to your Web server.
An Overview of HTTP File Upload
Netscape first implemented HTTP File Upload in Navigator 2.0 in early 1996.
Since then, Microsoft has implemented it in Internet Explorer (IE) 3.02a and IE
4.0. HTTP File Upload lets the browser accept a filename in a text input field.
Screen 1 shows a typical HTTP File Upload form that an application
might present to a user.
To the right of the File Name input field, a Browse option lets the user
find a file via a standard File, Open dialog box. For security reasons (e.g.,
Web sites uploading files from machines without the user knowing it), the File
Name field cannot be hidden, nor can it contain a default filename. Once the
user clicks Upload File to submit the form, the contents of the file transfer to
the Web server.
Typically, an application that uses HTTP File Upload next displays a screen
that notifies the user whether the file transfer was successful. Screen 2 shows an example user notification screen for a successful upload. In this
example, the application notifies the user, displays the file name and size, and
prompts the user with a screen that captures information so that a search engine
can index the file. This example is just one type of application that you can
build with the HTTP File Upload capability.
Now that you've seen how HTTP File Upload looks to the end user, let's take
a look at the underlying components that make up the upload process. Screen 1 presents an overview of the HTTP File Upload process.
To begin the upload, the user first browses to a Web page on the Internet or
a corporate intranet. (If you use HTTP File Upload over the Internet, you need
to perform user authentication at this point.) As you saw in the example in
Screen 1, the Web page includes a form to select a file on the user's local
machine. The user enters a filename or browses to select a file from a local
directory. Next, the user clicks the form's submit button (Upload File in Screen
1
), which sends the contents of the form to the Web server. After the user
clicks the submit button, the browser begins reading the selected file. The
browser encodes the upload file as a multipart file type; that is, the browser
encodes the file with special boundaries in much the same way as mail programs
encode MIME files sent as attachments in mail messages. Once the Web server
receives the posted data, the Web server calls a custom CGI program (e.g., a VB
CGI program) that decodes the file and saves it to disk. The Web server invokes
the appropriate CGI program based on the name that's part of the form's POST
syntax. (For more information about the HTTP File Upload specifications, see the
sidebar, "Background on HTTP File Upload,")
Visual Basic Using True CGI
If you're new to the Web arena, you might not be very familiar with CGI. CGI
is a standard that programs use to communicate with a Web server on the server
side. A program that incorporates the CGI standard communicates with a Web
server in the following ways: It reads parameters at the command line, reads
from Standard In, writes to Standard Out, and reads information passed through
environment variables. CGI is not language specific. You can implement CGI in
any language that can communicate in the ways mentioned above.
To clarify one issue, the code in this article uses true CGI. Almost every
CGI book I've examined incorrectly states that VB is not capable of executing
true CGI programs. Before Microsoft released 32-bit VB 4.0, 16-bit VB 3.0
programmers had to use Win-CGI programming techniques to circumvent VB 3.0's
inability to read from Standard In and write to Standard Out. With the Win-CGI
workaround, programmers passed variables between the Win-CGI program and the Web
server using INI files. Although this method was a less efficient way to
communicate with the Web server than using true CGI, for 16-bit VB programmers
it was a life saver. However, all that changed with 32-bit VB 4.0, which can
read from Standard In and write to Standard Out by calling two Win32 API
functions: ReadFile and WriteFile.
Inside the Upload_CGI Program
Now that you've seen an overview of the HTTP File Upload process, let's look
at how you can create the VB CGI program that receives the uploaded file. To
read environment variables as well as to read from Standard In and write to
Standard Out, the upload_cgi application uses several functions that the Win32
API supplies. Because the Win32 API functions are in an external DLL, you must
declare them before you can use them in VB. Listing 1 shows the declarations for
the Win32 API functions that upload_cgi uses.