where is the best place to save images from users upload

leora picture leora · Dec 26, 2010 · Viewed 12.2k times · Source

I have a website that shows galleries. Users can upload their own content from the web (by entering a URL) or by uploading a picture from their computer.

I am storing the URL in the database which works fine for the first use case but I need to figure out where to store the actual images if a user does a upload from their computer.

Is there any recommendation here or best practice on where I should store these?

Should I save them in the appdata or content folders? Should they not be stored with the website at all because it's user content?

Answer

Ian Mercer picture Ian Mercer · Dec 26, 2010

You should NOT store the user uploads anywhere they can be directly accessed by a known URL within your site structure. This is a security risk as users could upload .htm file and .js files. Even a file with the correct extension can contain malicious code that can be executed in the context of your site by an authenticated user allowing server-side or client-side attacks.

See for example http://www.acunetix.com/websitesecurity/upload-forms-threat.htm and What security issues appear when users can upload their own files? which mention some of the issues you need to be aware of before you allow users to upload files and then present them for download within your site.

  1. Don't put the files within your normal web site directory structure

  2. Don't use the original file name the user gave you. You can add a content disposition header with the original file name so they can download it again as the same file name but the path and file name on the server shouldn't be something the user can influence.

  3. Don't trust image files - resize them and offer only the resized version for subsequent download

  4. Don't trust mime types or file extensions, open the file and manipulate it to make sure it's what it claims to be.

  5. Limit the upload size and time.