Posted by Umberto Salsi on 10/15/07 17:53

Michael Fesser <netizen@gmx.de> wrote:

> There are two possible solutions:
>
> 1) Use a whitelist approach,
[...]
>
> The better way:
>
> 2) Don't let users download the files directly. Store them outside the
> document root [...]

3) Store all the meta-data in the DB (full file name, MIME type, upload date,
user name, description, expiry date, access rights, ...), mark this record
with a primary key PK (a number) and then use this number as file name where
the file gets saved, possibly outside the document root of the WEB server.

Remarks: always save the MIME type as provided by the client, never rely on
the "extension", there are much more MIME types than available three-letters
readable codes. Moreover, correctly handling MIME types automatically
makes your application suitable to handle any type of content, past,
present and future.

Best regards,
___
/_|_\ Umberto Salsi
\/_\/ www.icosaedro.it

• Next in forum: Coding style and search engine spiders
• Prev in forum: Re: RDF parsing with php ( simplexml ? )
• Thread view: Re: OT: security

[Reply to this message]