问题
I'm developing a Web application where users can upload files.
Suppose to have different file categories, e.g. audio and docs. I guess I can put all the files that belongs from a category in a unique folder, e.g.:
audio_dir
-file_from_user1.mp3
-another_file_from_user1.mp3
-file_from_user2.mp3
-file_from_user4.mp3
docs_dir
-file_from_user1.doc
-file_from_user5.pdf
The other solution I'm evaluating uses a third level, where files are grouped by users.
audio_dir
user1_dir
-file_from_user1.mp3
user2_dir
-file_from_user2.mp3
user4_dir
-file_from_user4.mp3
docs_dir
user1_dir
-file_from_user1.doc
user5_dir
-file_from_user5.pdf
Which solution is the best? Please, notice that I'm interested in server security vulnerabilities and scalability.
回答1:
In terms of security you should store the files outside of the web root. This effectively avoids someone from uploading a *.php or a *.pl or a *.py or .htaccess or any other executeablible script that maybe executed based on the HTTPD's configurations. I would also pass the file name though basename() before writing the file to prevent directory traversal attacks.
Then you can have a PHP script serve the file. You can also add user access control and file ownership by mapping the files to metadata stored in a SQL database.
来源:https://stackoverflow.com/questions/12178171/user-files-organization-in-a-web-server