asp.net - Where is better to store uploaded files in DB as BLOB or in folder with restrictions? -


i'm working fileupload in project. , project high visited (it's not ambitions, because web application work payment system, that's why under high-load). , wonder, what's better storing user's files? project based on asp.net.

i suggest 2 variants:

  • save as/load blob object into/from database
  • save/load to/from folder files locate , save info files in table owner recognizing, table design in bnf:

<user_files> ::= ( <id ::= int, primary_key, auto_increment, indexed><user_id ::= int><file_guid ::= varchar(255)>) | nil

i prefer blob , afraid of future high-load. because, fetching data database requires more cpu-time , memory allocations, because:

  • i need use connector, open new socket connect db localhost
  • then must call stored-procedure getting blob object
  • at client-side, must result classes connector
  • i must deserialize it
  • and send file user in uncompressed , not corrupted state, user can later open in editor (files images , ms-office documents)

as thought these operations may decrease server work , require more time, think slow 2000 users online, exchange documents quickly

as storing files on filesystem, see problem in:

  • securing correctly access of files, because different users must not see others docs , must hidden other users. i'm afraid, because folder users uploading files seen system user of windows iis (iisuser...), because otherwise users won't able upload anything, folder public. see solution make windows service , use iis folder uploads temporary. windows service files , place secure folder, users web unable see it.

but, maybe, i'm going wrong ideas, that's why i'm asking piece of advice, because want make system more perfectly.

thank you!

securing correctly access of files

if run situation violation owasp security guidelines, since files insecure direct object references. means users can access files directly, because opened complete sub folder on iis (like www.mysite.com/files/some_file.pdf) , files have name.

what should instead is:

  1. register file in database unique; not data, name , user uploaded (optionally including rights or roles).
  2. store file on disk file name database identifier.
  3. don't allow direct access write special httphandler takes in id of document (just when storing files inside database).

when taking approach, achieve following:

  1. files have unique number, prevents them having naming conflicts on disk.
  2. the httphandler can check database of user downloads file has proper rights so.
  3. because ids used, not vulnerable canonical representation attacks, attacker request this: www.mysite.com/file.ashx?file=..\web.config.

so security perspective, there no problem in storing files on disk instead of database.


Comments

Post a Comment

Popular posts from this blog

linux - Does gcc have any options to add version info in ELF binary file? -

i mean whether gcc can insert source code version infor elf binary section or similar. not want change source file, add info gcc option in makefile. you can emit version info text file, turn text file object file statically link executable. the first step simple have write code: script or write version info in format plain text file. write makefile rule produce version.o version.txt, using objcopy . you'll have object file 2 useful symbols defined in it: beginning , end of textual version info. add generated object executable, , you'll able access version 2 ways: running strings on binary, or writing code in application print version string (you'll need declare start , end symbols variables in header file).
Read more

android - send complex objects as post php java -

is possible send contact numbers via post php class inside eclipse ? or post limited primitive types , have find work arounds send them string ? i propose: send them json in post request, befor start, have @ gson project , keep in mind set content application -> json. luck
Read more

charts - What graph/dashboard product is facebook using in Dashboard: PUE & WUE -

i love facebook dashboard: pue & wue. beautifull can point out if there open source or commercial product offer similar style? here link https://www.facebook.com/forestcitydatacenter?sk=app_288655784601722&app_data so read through 29,888 lines of javascript ya.. biggest js file i've ever seen. looks make graph using variety of tools, including tween.js . it'd fascinating chat whoever made it. code wheel graph object starts @ line 27,266 text var graphcomponent = class.extend({ . can find source @ https://www.fbpuewue.com/assets/application-3a3af20f7fa3591229c79442ae3d1c26.js . sorry if dissapoints it's not awesome plugin can use :/ share pain. let me know if have questions :)
Read more