I want to allow file uploads to a project i am doing (my help desk) and am not sure if i should:
i) store them in the database
ii) store them in a web directory.
This discussion has been done to death at vbulletin about the way attachments are stored in vb but i think the issue in my case is different.
An attachment will probably only be downloaded once, like sending it via email. It is important that the attachment is only avaliable to the people who have permission to download it. So i thought of:
i) store in an attachment table (like vb) and then only let the user download it using a userid link. Fine.
ii) store in a web directory (with index.html file of course!) and then store the url of the file inside the database so only the correct person can get it. Perhaps add a randomid to the end of the filename so people can't guess filenames.
What do you recommend? Also, are there security risks in allowing people to upload files to the webserver easily? Is their better protection on file size for the database, ie what happens in both situations if someone tried to upload a 5GB file for example. Anything else i need to be aware of?
I also haven't stored files in a database. I stored the files in offline directories (not accessible via the web), and used a script to not only verify the user's identity, but also to read the file contents and spit it out to the user's browser (with the proper header of course).
Works well if the file size is within reasonable limits.