look for advice on upload file

rolwong

Newbie is looking for some advice.
I am not doing a project on write a mail system with attach function. My colleagues is using a method to save the "content" of the attachment to database. For eg. When it is a txt file with "Hello", then "Hello" will be saved to DB.

Personally I go for only saving file path, file name to DB, and FTP the file to our server.

I would like to know which method is better. For method (1), when the file is jpeg with file size 400KB, then all content will be saved to DB. I worry the rapid expansion of DB size and what I see from DB is some meaningless code representing that jpeg. For method (2), I can only saved the path of where the file is stored, as well as the file name. But from security aspect, the file path will be disclosed to users when they click the link. Also it has the risk for other user to 'steal' file that is not belong to him.

Can anyone give me some advice? If I go out method (2). how can I improve the security.

cahva

I would do this something like this:

Use DB to store only the link to the attachment. When uploading, copy the file outside from www-directory so nobody cant snatch the file through browser. When copying, recreate the filename(eg. use timestamp and filesize and from that, make a md5-hash name for it. That should be quite enough =).

In DB you have fields that tells the realname of the file and then the filename that you just created with my example. Of course it would not be bad idea to save also other information from the attachment(size, type etc.)

rolwong

Thx. I am not familiar to this. Usually when we write a link for download, we would write in this way.

print "<a href='http://www.myweb.com/'.$filepath.$filename.'>download here</a>

Then from this, it would disclose the location where the file is put on the server. I would like to know how to protect this from not being seen by the user, otherwise, user would know where we put all upload files and would have the chance to steal other files that are not belongs to him.