Reputation: 31919
Most Secure Way to Store Uploaded Files
I store uploaded files in the web directory:
//src/Acme/CocoBundle/Entity/CocoFromTheNorth.php
/**
* @ORM\Column(type="string", length=255, nullable=true)
*/
public $path;
protected function getUploadRootDir()
{
return __DIR__.'/../../../../web/'.$this->getUploadDir();
}
protected function getUploadDir()
{
return 'uploads/documents';
}
Is this a good practice? Wouldn't it be better to keep uploaded files outside the web directory so that they cannot be directly accessed by the users?
Am I right to think that the best way would be to store uploaded files outside of the web root? Where would it be the best then? Or how could I configure the web server to deny access to the uploads directory?
Upvotes: 7
Views: 3404
Answers (1)
Reputation: 173572
It's preferred to keep uploaded files outside of the web directory and use X-SendFile to serve those files after you established the access permissions using PHP.
I've outlined something similar here: How to securely store files on a server
And here: Caching HTTP responses when they are dynamically created by PHP
Upvotes: 9
Related Questions
- Where do you store user uploaded content within a Symfony 4 application?
- symfony upload file without saving it on the server
- Storing files in symfony 4
- What is the most secure method for uploading a file?
- Symfony2: How to protect uploaded media?
- Symfony2 controller store file in database
- Secure file storage in a server
- uploading files - how to store file in non public folder
- Secure file management with symfony
- Good Way to Secure File Uploads in PHP