?
Solved

what is the danger in permitting members to upload documents to your database?

Posted on 2016-10-04
6
Medium Priority
?
142 Views
Last Modified: 2016-10-06
We permit members to upload certain file types; pdf, docs, xlms, jpg and some other image file types  from our website into a database table where they are stored as a longblob (MySQL) and the documents/images can be viewed / downloaded by the member as well.

What is the danger of them introducing some malevolent code that would affect our database or our server?  What steps could we take to mitigate this?
0
Comment
Question by:Nemetona
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 58

Expert Comment

by:Julian Hansen
ID: 41829618
into a database table where they are stored as a longblob (MySQL)
I have never understood why one would want to store documents in a DB Table. The OS file system is a perfectly good store and far simpler than extracting blobs from a database. Best practice is store the document in the file system and the path in the database.

The danger is what you would expect from allowing content from untrusted sources onto your network.
Here are some things to consider
1. Assume all incoming documents are suspect and treat accordingly. Scan all incoming documents for malware
2. Store the documents outside of the webroot to prevent direct access to the documents
3. Store the path to the document in the database.
4. Limit uploads only to the document types you allow
5. Do not trust the extension or the mime type in the header - test the document to ensure it is of the claimed type.
0
 

Author Comment

by:Nemetona
ID: 41831584
Could you provide any pointers on "test the document to ensure it is of the claimed type. "
0
 
LVL 58

Accepted Solution

by:
Julian Hansen earned 2000 total points
ID: 41831747
What is your scripting environment.
In PHP you would use something like finfo_file()
Code might look something like this
$allowedtypes = array(
  'text/html',
  'image/gif',
  'application/vnd.ms-excel'
);
$finfo = finfo_open(FILEINFO_MIME_TYPE);
$mimetype = finfo_file($finfo, $filename);
$valid = false;
foreach($allowedtypes as $t) {
    if ($mimetype == $t) {
      $valid = true;
      break;
     }
}
if (!$valid) {
   echo "File type not allowed ....";
}

Open in new window

0
Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

 

Author Comment

by:Nemetona
ID: 41831768
Thank you for that.  We are using javascript.
0
 
LVL 58

Expert Comment

by:Julian Hansen
ID: 41831966
We are using javascript.
That is client side - what are you using to connect to MySQL?
0
 

Author Comment

by:Nemetona
ID: 41831972
java
0

Featured Post

Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows the steps required to install WordPress on Azure. Web Apps, Mobile Apps, API Apps, or Functions, in Azure all these run in an App Service plan. WordPress is no exception and requires an App Service Plan and Database to install
Backups and Disaster RecoveryIn this post, we’ll look at strategies for backups and disaster recovery.
In this video, we show how to convert an image-only PDF file into a PDF Searchable Image file, that is, a file with both the image (typically from scanning) and text, which is created in an automated fashion with Optical Character Recognition (OCR) …
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question