Solved

what is the danger in permitting members to upload documents to your database?

Posted on 2016-10-04
6
41 Views
Last Modified: 2016-10-06
We permit members to upload certain file types; pdf, docs, xlms, jpg and some other image file types  from our website into a database table where they are stored as a longblob (MySQL) and the documents/images can be viewed / downloaded by the member as well.

What is the danger of them introducing some malevolent code that would affect our database or our server?  What steps could we take to mitigate this?
0
Comment
Question by:Nemetona
  • 3
  • 3
6 Comments
 
LVL 51

Expert Comment

by:Julian Hansen
Comment Utility
into a database table where they are stored as a longblob (MySQL)
I have never understood why one would want to store documents in a DB Table. The OS file system is a perfectly good store and far simpler than extracting blobs from a database. Best practice is store the document in the file system and the path in the database.

The danger is what you would expect from allowing content from untrusted sources onto your network.
Here are some things to consider
1. Assume all incoming documents are suspect and treat accordingly. Scan all incoming documents for malware
2. Store the documents outside of the webroot to prevent direct access to the documents
3. Store the path to the document in the database.
4. Limit uploads only to the document types you allow
5. Do not trust the extension or the mime type in the header - test the document to ensure it is of the claimed type.
0
 

Author Comment

by:Nemetona
Comment Utility
Could you provide any pointers on "test the document to ensure it is of the claimed type. "
0
 
LVL 51

Accepted Solution

by:
Julian Hansen earned 500 total points
Comment Utility
What is your scripting environment.
In PHP you would use something like finfo_file()
Code might look something like this
$allowedtypes = array(
  'text/html',
  'image/gif',
  'application/vnd.ms-excel'
);
$finfo = finfo_open(FILEINFO_MIME_TYPE);
$mimetype = finfo_file($finfo, $filename);
$valid = false;
foreach($allowedtypes as $t) {
    if ($mimetype == $t) {
      $valid = true;
      break;
     }
}
if (!$valid) {
   echo "File type not allowed ....";
}

Open in new window

0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 

Author Comment

by:Nemetona
Comment Utility
Thank you for that.  We are using javascript.
0
 
LVL 51

Expert Comment

by:Julian Hansen
Comment Utility
We are using javascript.
That is client side - what are you using to connect to MySQL?
0
 

Author Comment

by:Nemetona
Comment Utility
java
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Introduction Since I wrote the original article about Handling Date and Time in PHP and MySQL (http://www.experts-exchange.com/articles/201/Handling-Date-and-Time-in-PHP-and-MySQL.html) several years ago, it seemed like now was a good time to updat…
Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
This video is the second in a two-part series that discusses PaperPort's "Send To Bar" feature . The first video tutorial (http://www.experts-exchange.com/VP_207.html) explains the purpose of the Send To Bar, how to use it, and how to hide unwanted …
In this first video of the three-part Xpdf series, we introduce and describe Xpdf, a library containing nine command line utilities that perform various functions on PDF files. We show where the library is located and how to download it, discuss its…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now