哪里是保存用户上传图片的最佳场所 [英] where is the best place to save images from users upload

问题描述

我有一个网站，显示的画廊。用户可以（通过输入网址）或从自己的电脑上传图片上传从网站自身的内容。

I have a website that shows galleries. Users can upload their own content from the web (by entering a URL) or by uploading a picture from their computer.

我存储这对于第一次使用的情况下能正常工作数据库的URL，但我需要找出在哪里存储实际图像如果用户从自己的电脑做了上传

I am storing the URL in the database which works fine for the first use case but I need to figure out where to store the actual images if a user does a upload from their computer.

时这里有任何建议或最佳实践我应该在哪里存储这些？

Is there any recommendation here or best practice on where I should store these?

我应该将它们保存在应用程序数据或内容文件夹？他们应该不会存储在网站的所有，因为它是用户的内容？

Should I save them in the appdata or content folders? Should they not be stored with the website at all because it's user content?

推荐答案

您应该不存储用户上传的任何地方，他们可以直接通过已知URL站点结构内访问。这是一个安全风险，因为用户可以上传.htm文件和.js文件。即使是用正确的扩展文件可能包含恶意code，可以在您的网站的情况下通过身份验证的用户，允许服务器端或客户端攻击被执行。

You should NOT store the user uploads anywhere they can be directly accessed by a known URL within your site structure. This is a security risk as users could upload .htm file and .js files. Even a file with the correct extension can contain malicious code that can be executed in the context of your site by an authenticated user allowing server-side or client-side attacks.

例如，见<一href=\"http://www.acunetix.com/websitesecurity/upload-forms-threat.htm\">http://www.acunetix.com/websitesecurity/upload-forms-threat.htm和<一个href=\"http://stackoverflow.com/questions/830919/what-security-issues-appear-when-users-can-upload-their-own-files\">What安全问题出现时，用户可以上传自己的文件？其中提一些你需要了解你允许用户上传文件，然后present他们为您的网站内下载前的各种问题。

See for example http://www.acunetix.com/websitesecurity/upload-forms-threat.htm and What security issues appear when users can upload their own files? which mention some of the issues you need to be aware of before you allow users to upload files and then present them for download within your site.

1. 不要把你的正常的Web站点的目录结构中的文件

1. Don't put the files within your normal web site directory structure

不要使用用户给了你原来的文件名。您可以添加内容disposition头与原来的文件名，这样他们就可以再次下载的文件名相同，但在服务器上的路径和文件名不应该是用户可以影响。

Don't use the original file name the user gave you. You can add a content disposition header with the original file name so they can download it again as the same file name but the path and file name on the server shouldn't be something the user can influence.

不要相信图像文件 - 调整它们的大小，并提供仅用于后续下载大小版本

Don't trust image files - resize them and offer only the resized version for subsequent download

不要相信MIME类型或文件扩展名，打开该文件，并操纵它，以确保它就是它声称是。

Don't trust mime types or file extensions, open the file and manipulate it to make sure it's what it claims to be.

限制上传大小和时间。

这篇关于哪里是保存用户上传图片的最佳场所的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！