在 asp.net-mvc 中,在保存用户内容(图像、文件等)时是否有一个很好的库或模式可以遵循 [英] in asp.net-mvc, is there a good library or pattern to follow when saving users content (images, files, etc)
问题描述
我的网站有一个管理部分,作者"可以在其中上传文件,例如照片画廊的图片等,以便稍后包含在我网站的动态内容部分中.我的某些页面的 html 本身存储在我的 mySQL 数据库中,用户可以使用 ckeditor 界面编辑内容.>
我想看看是否有什么可以利用的东西可以将文件保存到正确的目录并稍后检索它们,或者我应该从头开始写这一切.此外,寻找经验教训和需要注意的事项(安全等.)
我会尝试一下.我们有一个应用程序,它做一些类似于我们所做的事情,我们做了自己做的事情".用户可以通过我们的应用程序界面上传文件(图像、文档等),这些文件确实具有用户/公司/角色敏感权限.为了减轻一些安全问题并出于其他一些原因,我们实施了以下措施.
在 Web 应用程序中,我们创建了一个Assets"文件夹,用于存储所有用户生成的内容.然后,我们使用子文件夹来帮助分割内容(徽标、文件等).
在 web.config 中,我们将此文件夹配置为无法从浏览器访问(比如 App_Data 或 bin 文件夹),使用以下几行(我们这样做是为了确保这些文件都无法访问直接从浏览器中查看更多关于第 4 点):
<安全><请求过滤><hiddenSegments><add segment="资产"/></hiddenSegments></requestFiltering></安全> 上传文件后,我们会将文件的相关信息(类型、大小、名称、评论)存储在数据库中.这还允许我们将角色和用户安全信息与文件相关联.
为了检索文件,我们实现了一个控制器,其中包含一组操作,这些操作获取请求的文件名和用户信息(因为您必须登录)并从 Assets 文件夹中返回文件.对于最终用户来说,看起来所有文件都存储在/Files/Docs/FileID 或类似的东西中,但实际上这只是文件本身的前端看门人".如果您未经授权或请求错误文件,则此控制器/操作方法将返回 404.对于文件命名,我们只生成 GUID 并将文件命名为GUID.relevantExtension"(检查一个不存在)
我想对于吸取的教训或诸如此类的东西,最重要的是您不要直接公开文件,尤其是在用户不共享内容的情况下.此外,这可能是个人偏好,如果不小心可能会引发战争,我不太喜欢在数据库中存储文件,因为它似乎会导致分页和缓存性能问题(也不是谈论 SQL 2008 文件列).希望这会有所帮助!
EDIT - 关于这样做的另一个想法,从 VS 发布时要注意.这些上传的文件不是您的解决方案的一部分,如果您执行删除上传类型的发布,您将为您的用户文件打蜡.只是提醒一下(去过那里:/)
i have an admin section of my website where "authors" can upload files like pictures for photo galleries, etc to include in dynamic content sections of my website later. I have certain pages where the html itself is stored in my mySQL database and users can edit the content using ckeditor interface.
i am trying to see if there is something to leverage that will save files to the right directory and retrieve them later or i should just write this all from scratch. Also, looking for lessons learned and things to be careful on (security, etc . .)
I'll take a stab at this. An application that we have that does something similar we did and we did the 'roll our own thing'. Users can upload files (images, documents, whatever) through our application interface and these files do have user/company/role sensitive permissions. In order to mitigate a few security concerns and for a few other reasons, we implemented the following.
In the web application, we created an 'Assets' folder that is used to store all of the user generated content. We then use subfolders to help segment the content (logos, files, etc).
In the web.config, we configured this folder to not be accessible from the browser (think like the App_Data or bin folders) with the following lines (We did this to ensure that none of these files could be accessed directly from the browser. See more on point #4):
<system.webServer> <security> <requestFiltering> <hiddenSegments> <add segment="Assets"/> </hiddenSegments> </requestFiltering> </security>Once a file is uploaded, we store the relevant information about the file in database (type, size, name, comments). This also allows us to relate role and user security information on the file.
In order to retrieve the files, we implemented a controller with a set of actions that takes the requested file name and user information (since you have to be logged in) and returns the file from the Assets folder. To the end user, it looks like all files are stored in /Files/Docs/FileID or something similar but in actuality this is just a front-end 'gatekeeper' to the files themselves. This controller/action methods return a 404 if you are not authorized or if you request a bad file. For file naming, we just generate GUIDs and name the file "GUID.relevantExtension" (checking that one doesn't exist already)
I guess for lessons learned or whatnot, the biggest thing is that you do not expose the files directly especially if users are not sharing content. Also, and this is probably personal preference and could start a war if not careful, I am not big on storing files in the database at it seems to cause issues with paging and caching performance (not talking about SQL 2008 File column either). Hope this helps!
EDIT - Another thought on doing this, be aware when doing publishing from VS. These uploaded files are not part of your solution and if you do the Delete the Upload type publishing, you will wax your users files. Just word of caution (been there :/)
这篇关于在 asp.net-mvc 中,在保存用户内容(图像、文件等)时是否有一个很好的库或模式可以遵循的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
