Is it better to store user uploaded documents in phymyadmin or is it better to store them in folders?

What is better? To be able to store user docs like word docs, pdfs, scanned ima开发者_运维百科ges, etc in a database or in a folder. Security is of top issue. I don't want somebody to do something like domain.com/user/social/profile/user_images/23432434.png and be able to see it.

Thanks.

Storing files in the database is often regreted afterwards. Store a filename or id only in the database.

If you want to prevent access, store the files outside of the DOCUMENT_ROOT. Make a wrapper script that handles access, and use either readfile() or X-Sendfile: when invoked. (You would basically have done the same for SQL stored resources.)

If security is of top issue - use .htaccess and close public access to content folders.

You could save the assets behind the public folder (the document root folder where the app lies) and get them like http://myapp.com/assets.php?id=13 where assets.php grabs the file and output the content.

Now in assets.php, you can verify the roles, etc etc.

like for example:

• root folder
  • public_html (where your script lies)
  • assets (where your uploads lies, they'll be inaccessible to the public eye and you can pull them when someone calls assets.php)

Does not really mather what you do if you store it in DB or on HD. The important thing is how you will be serving the files.

For this purpose you can you any kind of hash function.

1. add "salt" field to each user in DB
2. then you can do for example md5(md5({filename}) . salt)

and retrieving those files will be prety hard if you combine it with an captcha.

Store your files above the root of the server.

for example:

/var/www/ - your server root. Publicly available /var/documents - user files here. above the root and not publicly visible.

Server your documents:

in /var/www/serve.php

#add headers
echo file_read_contents("/var/documents/file.doc");

Saving files in sql may cause some problems like as slower speed. You can use

# no one gets in here!
deny from all

in your .htaccess and use echo file_get_contents($filename); or readfile($filename);