Web服务器中的用户文件组织 [英] User-files organization in a Web server
问题描述
我正在开发一个Web应用程序,用户可以在其中上传文件.
I'm developing a Web application where users can upload files.
假设具有不同的文件类别,例如音频和 docs .我想我可以将属于某个类别的所有文件放在一个唯一的文件夹中,例如:
Suppose to have different file categories, e.g. audio and docs. I guess I can put all the files that belongs from a category in a unique folder, e.g.:
audio_dir
-file_from_user1.mp3
-another_file_from_user1.mp3
-file_from_user2.mp3
-file_from_user4.mp3
docs_dir
-file_from_user1.doc
-file_from_user5.pdf
我正在评估的另一个解决方案使用第三级,其中文件由用户分组.
The other solution I'm evaluating uses a third level, where files are grouped by users.
audio_dir
user1_dir
-file_from_user1.mp3
user2_dir
-file_from_user2.mp3
user4_dir
-file_from_user4.mp3
docs_dir
user1_dir
-file_from_user1.doc
user5_dir
-file_from_user5.pdf
哪种解决方案是最好的? 请注意,我对服务器安全漏洞和可扩展性感兴趣.
Which solution is the best? Please, notice that I'm interested in server security vulnerabilities and scalability.
推荐答案
在安全性方面,您应该将文件存储在Web根目录之外.这有效地避免了某人上载*.php
或*.pl
或*.py
或.htaccess
或可能基于HTTPD的配置执行的任何其他可执行脚本.在编写文件之前,我还将通过basename()
传递文件名,以防止目录遍历攻击.
In terms of security you should store the files outside of the web root. This effectively avoids someone from uploading a *.php
or a *.pl
or a *.py
or .htaccess
or any other executeablible script that maybe executed based on the HTTPD's configurations. I would also pass the file name though basename()
before writing the file to prevent directory traversal attacks.
然后,您可以让PHP脚本提供文件.您还可以通过将文件映射到存储在SQL数据库中的元数据来添加用户访问控制和文件所有权.
Then you can have a PHP script serve the file. You can also add user access control and file ownership by mapping the files to metadata stored in a SQL database.
这篇关于Web服务器中的用户文件组织的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!