FTP Upload Issues.

[Googie85]

Hi Guys!

I am trying to put a simple string into a file on an FTP Server. When I am in the IDE, the file upload works without any problems. When I try it on my Android device I cannot upload the file (the server log doesn't show any connection at all). This is what I am using to do the upload:

Code: Select all

   put "Upload" into URL "ftp://guest:guest@192.168.56.1/file.txt"

I have "Internet" selected in the Standalone App Settings. I have also tried different versions of Livecode Community. Also 4 different Android devices.

Any ideas on why this is not working for me?

Many Thanks,

Googie.

[AxWald]

Hi,

the cmd looks OK. Idea:

You're compiling for new android versions? There's the problem that "http://" doesn't work anymore. Maybe "ftp://" has a related problem?

Test: Can you "get" a "http://" URL?

Have fun!

[jacque]

I wonder if it also needs the TSNet inclusion. If it works in the IDE but not in a standalone, missing inclusions are often the reason.

[FourthWorld]

Does Android allow non-SSL connections?

And why FTP instead of HTTP?

[AxWald]

Hi,

Does Android allow non-SSL connections?

"Starting with Android 9 (API level 28), cleartext support is disabled by default. (Panos Merakos in the bug report)"

And why FTP instead of HTTP?

I know, you're a big fan of HTTP, but what's so bad about FTP/SFTP actually? So: Why bother with HTTP when there's FTP?

Have fun!

[FourthWorld]

Hi,

Does Android allow non-SSL connections?

"Starting with Android 9 (API level 28), cleartext support is disabled by default. (Panos Merakos in the bug report)"

Looks like ftps is needed.

And why FTP instead of HTTP?

I know, you're a big fan of HTTP, but what's so bad about FTP/SFTP actually? So: Why bother with HTTP when there's FTP?

Performance and security.

FTP is great for what it was designed for, ad hoc traversal of remote file stores.

But for anything more specific, it offers too much access with too few ways to limit it.

For posting a single file to a specific location, most of the world uses HTTP. Sometimes the world isn't wrong.

If it's limited to a LAN it probably doesn't matter, but in any hostile network is helpful to follow common practice. And the open Internet is the most hostile network.

[AxWald]

Hi,

FTP is great for what it was designed for, ad hoc traversal of remote file stores.

As in "I am trying to put a simple string into a file on an FTP Server"?

But for anything more specific, it offers too much access with too few ways to limit it.

Seems I'm doing it wrong. I'm using FTP/SFTP just when I don't want "too much access" and want to have very specific access control.

For posting a single file to a specific location, most of the world uses HTTP. Sometimes the world isn't wrong.

For their daily diet most of the worlds creatures use [things I wouldn't name here]. Sometimes the world is strange.
Sry, couldn't resist - but would I do what is regarded "best practice" these days & what is done by "all the world", I wouldn't write my software in LiveCode. So this is, for me, not a valid argument.

Have fun!

[FourthWorld]

Had I made an appeal to popularity alone, your dismissal on those grounds would have merit.

But it seems I wrote poorly, allowing the answer I provided to be overlooked: "Performance and security."

HTTP isn't faster or more secure for specific end-user access than FTP because it's popular.

It's popular because it's faster and more secure.

[AxWald]

OK, I see.

Tried to find some examples for http file transfer, but wasn't able to compile the suitable search terms.
Can you help me out, please?

Code: Select all

   --  myUser: Username for access
   --  myPass: Password for access
   --  myDir: Target directory, _access restricted_, may be FTP or HTTP
   --  myData: A suitable string to transmit
   
   --  === FTP version ===
   put myData into URL ("ftp://" & myUser & ":" & URLEncode(myPass) & "@" & myDir & "/aFile.txt")
   
   --  === equivalent HTTP version ===
   --  [insert code here, plz!]

Plz show how this is done using libURL only (so that a Standalone can be compiled that doesn't need external libs, and that it works in the community version, too).

I'm asking 'cause it may be helpful to have an alternative for the few cases of public networks where overzealous admins sometimes lock down anything but http/s, and where the situation doesn't require a VPN anyways. And yes, I'd like to test the performance in a real life use case ;-)

About security as I view it:
Here I'm quite conservative: As soon as transmitted data touch hard- or software that isn't completely within the control of the owning company they are to be regarded as compromised.

We all know that todays governments enforce access to any data they desire. So we know that valid attack vectors must exist. And since there cannot be a 100% incorruptible government agency we must assume that these attack vectors are known by god knows who.
Seen this way, there is not much difference between a simple FTP file transfer & a HTTPS file transfer. Only the effort required to read it is different.

As there's no real security in this IT world (in my view, as explained above), what's to do is to try to achieve "sufficient security":

If my program sends "the executionContexts" to a server in case of a program error, or if it fetches its hamburger menu entries from a server, this could be done by messenger pigeon or postcard, too. If these data would be published in tomorrows news broadcast no harm would be done. So "no security at all" is "sufficient", all that counts is reliabilty, stability & ease of use.

When my program fetches the complete list of customers, including address data & outstanding items, we're at the other extreme of "sufficient security" - these are vital data, not for unauthorized eyes. So they are encrypted by the database before leaving the source, and decrypted only by the target client. Since sufficient strong encryption must (!) be applied here already, further security measures during the transport don't add much security (as we already have end-to-end encryption).

So, "Security is a process, not a product."
It's a constant evaluation of what is "sufficient", against the cost to achieve it, incorporating all aspects related.

Yelling "HTTP is insecure & must die!" for instance (as done by Google etc. these days) helps exactly nothing in this context. It's just blowing smoke - and causing a lot of blind activism that suggests there's actually something done about security. In a world where the question "What can we do to protect the integrity of our data against the attacks of national intelligence, criminals & the ad industry?" should be so much more important!

In this context, some new famous last words:
"Look, now we're safe - our web site has https, and our infrastructure is secured by Kaseya VSA!"


Well, I know this a quite frumpish view of security. But it may explain why I have a hard time to see any security improvement by using HTTP instead of FTP for simple, not-sensitive file transfers.

Thx, and have fun!

[FourthWorld]

Your example uses ftp. You may need to use ftps to meet mobile OSes' SSL requirement.

[AxWald]

Hi,

I have a Android 10 test gadget here & while I cannot "get" a "HTTP://" URL, I can fetch/ put data to/ from "FTP://". I don't know how more recent Androids behave, and I don't know about the influence of the used Android API level (I usually compile for Android 5/ API 21). Thus I assumed here may be the culprit.

But this doesn't help here. I know my example uses FTP - the question was how to do the same via HTTP, or HTTPS if you insist. Is there a way at all to do it in the community version?

Have fun!

[kdjanz]

I've never done it myself BUT...

from other threads I think you need to use a POST command to the server. Perhaps try looking up that.

[AxWald]

Hi,

thank you! "POST" was the magic keyword - for some strange reason I didn't think of it when searching :/

So the answer to my question from above would be:

Code: Select all

   post myData to URL ("http://" & myUser & ":" & URLEncode(myPass) & "@" & myDir & "/aFile.txt")

So I can go playing with it, finally :)

Interesting, from the dictionary:

On iOS and Android, the post command is implemented in the engine. Therefore the Internet library is not needed to ensure the command works in a mobile standalone application.

Have fun!

[AxWald]

Hi, me again:

Seems my example above doesn't work. At first, using a FTP user & PW:

Code: Select all

put myData into URL ("ftp://aUser:aPassWord@domain.com/aFile.txt") => no problem, transmits
post myData to URL ("ftp://aUser:aPassWord@domain.com/aFile.txt") => timeout
post myData to URL ("http://aUser:aPassWord@domain.com/aFile.txt") => 404

Ouch. The FTP user already starts in a directory "ftp", she doesn't see any other part of the web site. So we must use the full path:

Code: Select all

post myData to URL ("http://aUser:aPassWord@domain.com/ftp/aFile.txt") => still 404

But: "http:// aUser:aPassWord@domain. com/ftp/testFile.txt" (w/o spaces) in a browser shows the "testFile.txt".

So I set up a directory with "htaccess/ htpasswd" protection.
First trying in a browser ("http:// domain .com/Test", w/o spaces): it asks for User/ Pass, then shows "index.htm".
And "http:// bUser:bPass@domain .com/Test/testFile.txt" (again w/o spaces) shows a "testFile.txt", flawlessly.
But:

Code: Select all

post myData to URL ("http://bUser:bPassWord@domain.com/Test/aFile.txt") => still 404

What is sent?

Code: Select all

=> POST /Test/aFile.txt HTTP/1.1
Host:domain.com
User-Agent: LiveCode (Win32)
Content-Length: 85
Content-Type:  application/x-www-form-urlencoded
Authorization: Basic 23c[...]B==

<= HTTP/1.1 404 Not Found

Something I got fundamentally wrong here. Do I have to set the HTTPHeaders?

Thx, and have fun!

[FourthWorld]

Is the file named testFile.txt or aFile.txt?