SitePoint Sponsor

User Tag List

Results 1 to 6 of 6

Thread: File Uploads

  1. #1
    SitePoint Evangelist
    Join Date
    Feb 2000
    Location
    England
    Posts
    568
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I want to allow file uploads to a project i am doing (my help desk) and am not sure if i should:

    i) store them in the database
    ii) store them in a web directory.

    This discussion has been done to death at vbulletin about the way attachments are stored in vb but i think the issue in my case is different.

    An attachment will probably only be downloaded once, like sending it via email. It is important that the attachment is only avaliable to the people who have permission to download it. So i thought of:

    i) store in an attachment table (like vb) and then only let the user download it using a userid link. Fine.

    ii) store in a web directory (with index.html file of course!) and then store the url of the file inside the database so only the correct person can get it. Perhaps add a randomid to the end of the filename so people can't guess filenames.

    What do you recommend? Also, are there security risks in allowing people to upload files to the webserver easily? Is their better protection on file size for the database, ie what happens in both situations if someone tried to upload a 5GB file for example. Anything else i need to be aware of?

    Thanks.

  2. #2
    SitePoint Zealot moshe_be's Avatar
    Join Date
    Dec 2000
    Posts
    169
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I have never tried putting files on DB, but I found uploading files to a folder work just fine.

    In order to allow only the right people to download it, protect the folder with .htaccess and allow to download the file only using php script that reads the file and sends it to the user.

    Also, there is usually 2MB upload limit (default) that above that users get error message.

  3. #3
    SitePoint Zealot
    Join Date
    May 2000
    Posts
    150
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I also haven't stored files in a database. I stored the files in offline directories (not accessible via the web), and used a script to not only verify the user's identity, but also to read the file contents and spit it out to the user's browser (with the proper header of course).

    Works well if the file size is within reasonable limits.

  4. #4
    SitePoint Evangelist
    Join Date
    Feb 2000
    Location
    England
    Posts
    568
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    i quite like the 2nd idead. I can't use .htaccess mainly because there will be lots and lots of users and different file permissions, .htaccess to simple for it.

    Storing offline is a nice idea and then parsing across. Still think storing in database might be easier, need to find more about effects on database it will have.

  5. #5
    SitePoint Zealot moshe_be's Avatar
    Join Date
    Dec 2000
    Posts
    169
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The .htaccess is to block everyone's access to the folder with the files, not to use it for password protection. As arpith said, the files are read and sent to the user by a script.

  6. #6
    SitePoint Evangelist
    Join Date
    Feb 2000
    Location
    England
    Posts
    568
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    oh i see, using .htaccess in the same way as storing the files above the web root. I see. cheers.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •