Solved

what is the danger in permitting members to upload documents to your database?

Posted on 2016-10-04
6
103 Views
Last Modified: 2016-10-06
We permit members to upload certain file types; pdf, docs, xlms, jpg and some other image file types  from our website into a database table where they are stored as a longblob (MySQL) and the documents/images can be viewed / downloaded by the member as well.

What is the danger of them introducing some malevolent code that would affect our database or our server?  What steps could we take to mitigate this?
0
Comment
Question by:Nemetona
  • 3
  • 3
6 Comments
 
LVL 55

Expert Comment

by:Julian Hansen
ID: 41829618
into a database table where they are stored as a longblob (MySQL)
I have never understood why one would want to store documents in a DB Table. The OS file system is a perfectly good store and far simpler than extracting blobs from a database. Best practice is store the document in the file system and the path in the database.

The danger is what you would expect from allowing content from untrusted sources onto your network.
Here are some things to consider
1. Assume all incoming documents are suspect and treat accordingly. Scan all incoming documents for malware
2. Store the documents outside of the webroot to prevent direct access to the documents
3. Store the path to the document in the database.
4. Limit uploads only to the document types you allow
5. Do not trust the extension or the mime type in the header - test the document to ensure it is of the claimed type.
0
 

Author Comment

by:Nemetona
ID: 41831584
Could you provide any pointers on "test the document to ensure it is of the claimed type. "
0
 
LVL 55

Accepted Solution

by:
Julian Hansen earned 500 total points
ID: 41831747
What is your scripting environment.
In PHP you would use something like finfo_file()
Code might look something like this
$allowedtypes = array(
  'text/html',
  'image/gif',
  'application/vnd.ms-excel'
);
$finfo = finfo_open(FILEINFO_MIME_TYPE);
$mimetype = finfo_file($finfo, $filename);
$valid = false;
foreach($allowedtypes as $t) {
    if ($mimetype == $t) {
      $valid = true;
      break;
     }
}
if (!$valid) {
   echo "File type not allowed ....";
}

Open in new window

0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 

Author Comment

by:Nemetona
ID: 41831768
Thank you for that.  We are using javascript.
0
 
LVL 55

Expert Comment

by:Julian Hansen
ID: 41831966
We are using javascript.
That is client side - what are you using to connect to MySQL?
0
 

Author Comment

by:Nemetona
ID: 41831972
java
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Complex MySQL Query 2 33
Complex SQL statement in VB.NET 7 31
Optimize the query 5 43
Uploading a CSV Data Import via PHP & MySql 3 33
Introduction This article is intended for those who are new to PHP error handling (https://www.experts-exchange.com/articles/11769/And-by-the-way-I-am-New-to-PHP.html).  It addresses one of the most common problems that plague beginning PHP develop…
When table data gets too large to manage or queries take too long to execute the solution is often to buy bigger hardware or assign more CPUs and memory resources to the machine to solve the problem. However, the best, cheapest and most effective so…
In this fifth video of the Xpdf series, we discuss and demonstrate the PDFdetach utility, which is able to list and, more importantly, extract attachments that are embedded in PDF files. It does this via a command line interface, making it suitable …
Sometimes we receive PDF files that are in the wrong orientation. They may be sideways or even upside down. This most commonly happens with scanned or faxed documents. It is possible to rotate the view of these PDFs with the free Adobe Reader produc…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question