Im building an MVC4 app using a seperate database multi tenant architecture. The customers also have the option to upload files (mostly 1-5MB in size, textfiles/documents).
我正在使用单独的数据库多租户架构构建MVC4应用程序。客户还可以选择上传文件(大多数为1-5MB,文本文件/文档)。
I concluded that its better to store the files in a filesystem while keeping metadata in the database (seperate folder for each customer), however, I have no clue on where to store the files. Does MVC have special locations for this? Or should I just create a folder on the server somewhere.
我总结说,最好将文件存储在文件系统中,同时将元数据保存在数据库中(每个客户的单独文件夹),但是,我不知道存储文件的位置。 MVC有特殊的位置吗?或者我应该在服务器上的某处创建一个文件夹。
And is creating folders like this secure by default?
并且默认情况下创建这样的文件夹安全吗?
Thanks!
2 个解决方案
#1
8
Well, I would like to advise for the following, Gitzerai already gave a lot to think about.
好吧,我想建议以下内容,Gitzerai已经考虑了很多。
Gitzerai maybe you will find here something you missed out when creating solution to your apps.
Gitzerai也许你会在这里找到你在为你的应用创建解决方案时错过的东西。
Anyway,
you can upload files on the file system but there are several things you need to watch out for.
您可以在文件系统上传文件,但有几件事需要注意。
-
Make sure that account running the IIS application pool only has read-write privileges to that folder and not execute under any circumstances
确保运行IIS应用程序池的帐户仅具有该文件夹的读写权限,并且在任何情况下都不会执行
-
Check file extension and disallow and executables (.exe, .dll and more)
检查文件扩展名和禁止和可执行文件(.exe,.dll等)
-
Store the files w/o extension or with some .zzz extension just in case. When user needs to download the file you can dynamically set to original extension
存储没有扩展名的文件或扩展名为.zzz的文件以防万一。当用户需要下载文件时,您可以动态设置为原始扩展名
-
Use only one folder for storing all files that is created manually. Avoid creating multiple folders dynamically if not really needed
仅使用一个文件夹存储手动创建的所有文件。如果不需要,请避免动态创建多个文件夹
-
Create a separate app that will occasionally do an integrity check for records in database vs files in the file system
创建一个单独的应用程序,偶尔会对数据库中的记录与文件系统中的文件进行完整性检查
#2
4
Personally, I would say that such decision should be based on your application requirements.
就个人而言,我会说这样的决定应该基于您的申请要求。
When I am building simple app with upload possibilities, I always use the DB = Metadata; File itself = filesystem, as I have a module I implement to every app like this and it is an approach easy to maintain. It could possibly bring security issues, especially with multi-user/app access server, where security of "folder access" should be maintained on a root folder level with permissions strictly defined (not chmod 777 everyone :-)) So far I have not had a single issue with this approach. External access is linked by external guid for specific file.
当我构建具有上传可能性的简单应用程序时,我总是使用DB =元数据;文件本身=文件系统,因为我有一个模块,我实现了这样的每个应用程序,这是一个易于维护的方法。它可能带来安全问题,特别是对于多用户/应用程序访问服务器,其中“文件夹访问”的安全性应该保持在根文件夹级别,权限严格定义(不是chmod 777每个人:-))到目前为止我还没有这个方法有一个问题。外部访问由外部guid链接到特定文件。
For multi-tenant environment my file databases (or s I call them media databases) contains also CDN url, i.e. address to server physically hosting the file, and the file is served by HttpHandler. Again, I can imagine more secure and flexible way, but this has never failed me so far, and I am aware of the issues it acompanies this solution and I am fine with that.
对于多租户环境,我的文件数据库(或称为媒体数据库)也包含CDN URL,即物理托管文件的服务器的地址,文件由HttpHandler提供。再一次,我可以想象更安全和灵活的方式,但到目前为止,这一直没有让我失望,我知道它与这个解决方案相关的问题,我很好。
But since this is an interesting topic for me, I would love to hear if someone proposes a different solutions, when it comes to filestorage.
但由于这对我来说是一个有趣的话题,我很想听听有人提出不同的解决方案,当涉及到文件存储时。
#1
8
Well, I would like to advise for the following, Gitzerai already gave a lot to think about.
好吧,我想建议以下内容,Gitzerai已经考虑了很多。
Gitzerai maybe you will find here something you missed out when creating solution to your apps.
Gitzerai也许你会在这里找到你在为你的应用创建解决方案时错过的东西。
Anyway,
you can upload files on the file system but there are several things you need to watch out for.
您可以在文件系统上传文件,但有几件事需要注意。
-
Make sure that account running the IIS application pool only has read-write privileges to that folder and not execute under any circumstances
确保运行IIS应用程序池的帐户仅具有该文件夹的读写权限,并且在任何情况下都不会执行
-
Check file extension and disallow and executables (.exe, .dll and more)
检查文件扩展名和禁止和可执行文件(.exe,.dll等)
-
Store the files w/o extension or with some .zzz extension just in case. When user needs to download the file you can dynamically set to original extension
存储没有扩展名的文件或扩展名为.zzz的文件以防万一。当用户需要下载文件时,您可以动态设置为原始扩展名
-
Use only one folder for storing all files that is created manually. Avoid creating multiple folders dynamically if not really needed
仅使用一个文件夹存储手动创建的所有文件。如果不需要,请避免动态创建多个文件夹
-
Create a separate app that will occasionally do an integrity check for records in database vs files in the file system
创建一个单独的应用程序,偶尔会对数据库中的记录与文件系统中的文件进行完整性检查
#2
4
Personally, I would say that such decision should be based on your application requirements.
就个人而言,我会说这样的决定应该基于您的申请要求。
When I am building simple app with upload possibilities, I always use the DB = Metadata; File itself = filesystem, as I have a module I implement to every app like this and it is an approach easy to maintain. It could possibly bring security issues, especially with multi-user/app access server, where security of "folder access" should be maintained on a root folder level with permissions strictly defined (not chmod 777 everyone :-)) So far I have not had a single issue with this approach. External access is linked by external guid for specific file.
当我构建具有上传可能性的简单应用程序时,我总是使用DB =元数据;文件本身=文件系统,因为我有一个模块,我实现了这样的每个应用程序,这是一个易于维护的方法。它可能带来安全问题,特别是对于多用户/应用程序访问服务器,其中“文件夹访问”的安全性应该保持在根文件夹级别,权限严格定义(不是chmod 777每个人:-))到目前为止我还没有这个方法有一个问题。外部访问由外部guid链接到特定文件。
For multi-tenant environment my file databases (or s I call them media databases) contains also CDN url, i.e. address to server physically hosting the file, and the file is served by HttpHandler. Again, I can imagine more secure and flexible way, but this has never failed me so far, and I am aware of the issues it acompanies this solution and I am fine with that.
对于多租户环境,我的文件数据库(或称为媒体数据库)也包含CDN URL,即物理托管文件的服务器的地址,文件由HttpHandler提供。再一次,我可以想象更安全和灵活的方式,但到目前为止,这一直没有让我失望,我知道它与这个解决方案相关的问题,我很好。
But since this is an interesting topic for me, I would love to hear if someone proposes a different solutions, when it comes to filestorage.
但由于这对我来说是一个有趣的话题,我很想听听有人提出不同的解决方案,当涉及到文件存储时。