I am building a system that allows for an entry into the database (think user accounts if you want) to have an image associated with it. These will be small images and there won't be many of them.
I know the general pros/cons of using a BLOB and it doesn't seem like it will be a problem in this case. Security on this project is important though. So is it more secure to set up a directory on my开发者_运维问答 Windows server where the site can store images uploaded by a user instead of just sticking the image in the DB as a BLOB?
So are potential security concerns over web users loading an image to the server significant enough to take a small performance hit or am I being over cautious?
The site is built in ASP.NET 4.0 and the database is Sql Server 2008, the server I am using to host the site could be Windows Server 2003 or 2008.
Yes using blobs in a sql database to store sensitive information is very safe.
1)Completely eliminates the problem of directory traversal.
2)Easy to apply access control on a file by file basis and link this to users/groups.
3)The database has built in encryption.
Alternatively a safe and faster approach is to store the files outside of the web root. Change the file name to the primary key and store the metadata (such as access control) in the database. When you serve the file the asp.net can look the primary key based on the file name and open the file on the disk drive.
Yes it is more secure. If you were using PHP I could provide a concrete example of why. Suffice it to say that the user may be able to exploit a hole in your code/system that would allow them to execute code contained in what appeared to be an image.
edit: Of course you have to protect against SQL injection but it's usually clear whether you did this right or not.
精彩评论