Most Secure Way to Store Uploaded Files

Question

I store uploaded files in the web directory:

//src/Acme/CocoBundle/Entity/CocoFromTheNorth.php
/**
 * @ORM\Column(type="string", length=255, nullable=true)
 */
public $path;

protected function getUploadRootDir()
{
    return __DIR__.'/../../../../web/'.$this->getUploadDir();
}

protected function getUploadDir()
{

    return 'uploads/documents';
}

Is this a good practice? Wouldn't it be better to keep uploaded files outside the web directory so that they cannot be directly accessed by the users?

Am I right to think that the best way would be to store uploaded files outside of the web root? Where would it be the best then? Or how could I configure the web server to deny access to the uploads directory?

score 9 · Accepted Answer · edited May 23 '17 at 11:53

9

It's preferred to keep uploaded files outside of the web directory and use X-SendFile to serve those files after you established the access permissions using PHP.

I've outlined something similar here: How to securely store files on a server

And here: Caching HTTP responses when they are dynamically created by PHP

edited May 23 '17 at 11:53

Community

1
1

answered Jun 11 '12 at 06:59

Ja͢ck

170,779
38
263
309

Most Secure Way to Store Uploaded Files

1 Answers1