Reputation: 9722
Web Application, most secure place for an uploads folder for users
General structure of my application:
[includes] - not accessible by the web
.. important database classes, etc
[public]
.. all files that the application publicly uses
I'm trying to make a decision about where I should store the [uploads] folder. This is the where all users will be storing their media (images, etc)
[uploads]
[user123]
mypic.jpg
mysecondpic.jpg
[user456]
picpic.jpg
yeah.jpg
Currently, I have this folder within the [public] folder, but for some reason I'm not convinced that that this is the right place ...
The [includes] folder will not be accessible by the public, only PHP will be able to navigate there.
What are your thoughts on this for best practice sake?
Upvotes: 3
Views: 234
Answers (3)
Reputation: 449475
I suppose only that user. I mean, without brining "sharing" media into the conversation ... which is a possibility down the road.
In that case, the usual setup is
Place the files outside the web root (ie. outside the
publicfolder - where exactly, is up to you really)Build a PHP script that checks user permissions and passes through the requested file if everything checks out. That PHP script will then be called for every resource like so:
domain.com/resource.php?user=user123&file=mypic.jpg
(or use pretty URL rewriting)
bear in mind, however, that this requires an expensive PHP process to be started for every resource requested. Be sure to use very clever caching to minimize requests.
There are Apache and nginx modules that make this process more efficient named X-Sendfile. That may be worth a look down the road.
Upvotes: 0
Reputation: 10467
It depends on what you are trying to achieve. If you are uploading for example photos for user articles, place them in publicly visible folder such as /public/images (that images are visible either way). If you are on the other hand making an application that will (for example) profit from uploaded files, it's better to place them one level higher, such as /uploads, so that they won't be publicly accesible, but you can create a code that will enable downloads.
Upvotes: 0
Reputation: 798686
In a sibling directory. That is, a directory at the same level as includes/ and public/.
Upvotes: 2
Related Questions
- Where to store user uploaded pictures on a single server
- What rights should I put on directory so web site users can upload photos?
- Image upload directory security
- Upload folder security solutions
- Secure file storage in a server
- PHP: What should be the permission for the directory where I store user uploaded files?
- Storing Files on the server in a non-public-accessible directory
- How to securely upload and store user documents?
- Is keeping uploads folder outside of 'public_html' enough to keep my application secure from malicious uploads?
- How do i secure a web server's image upload directory?