|
Hi,
I am designing a rather complex web program that I intend to sell to many people, but host on my own server. Users of this program will want to customize their pages and will want to upload different header images and user photos.
As we all know, upload forms are extremely dangerous/insecure and I really don't want to get hacked through one (especially if I have 50 vulnerable users on my server).
Since one of the biggest problems with these forms is the actual upload validation and movement (move_uploaded_file();) I want to avoid actually using physical files and I think I might opt for storing the files in a MySQL database in an Images table.
I have many concerns, but first and foremost: will this guarantee me more security? For example, if someone sneaks through my upload script a PHP file and it is stored in a MySQL database as a binary file (BLOB), it won't be able to do its dirty work... right?
Another big question is whether this will slow my site down or not. I'm storing each install in a different database but if I have, lets say, a dozen 2MB BLOB images stored per site, and there are 50 sites on my server will MySQL have a heart attack?
Anyway, I know that hundreds of people have discussed this and I've browsed several different forums and from what I can tell people don't like it. On the other hand, I'm especially paranoid about upload scripts and I don't trust my anti-hacker logic at all, so I'll do anything to prevent an attack
Thanks for your help,
kmkz
Last edited by kmkz; 03-29-2005 at 05:09 PM..
|
