mardi 30 octobre 2018

How to Protect "User Uploads" Folder

I'm creating a files sharing service that runs through a mobile app, there's a folder in the server that hosts users uploads, I know usually in these scenarios the uploads folder must be put outside the public http directory, but I'm hosting the code on an online hosting service which doesn't allow doing that

So far here are the security measures that I've done:

  • Files inside the folder are named with randomly generated IDs while all the file information (Name,type..etc) are stored in the database
  • The Folder itself is protected using htaccess (Order Deny All) so nobody can access any data inside except scripts hosted on the server

When a user wants to download a file, my idea is to make a script that would copy the required file to a temporary folder, while adding a record in the database to delete the temp file after 2 hours of the request (Cron Job)

How efficient is my method? Can a PHP file handle cloning large number of files without putting too much pressure on the server? And what alternative ways are there to protect the folder data

Thanks for your time reading this




Aucun commentaire:

Enregistrer un commentaire