Why Directly Storing Uploads in the Database Is Risky
- #Security
- #Best Practices
- #Software Architecture
- 2018/08/30
Why saving uploads as-is in the database is dangerous
- A malicious file could be uploaded and compromise the entire database.
- If malware is embedded, the whole system can be taken over.
- Accepting extensions you do not anticipate increases the chance of someone uploading a virus.
- Attackers can intentionally upload very large files and trigger server-side latency.
Behavior at upload time
- Validate file extensions on the client with JavaScript before the upload (but never rely on it—users can disable JS, so always validate on the server as well).
- Configure a temporary storage location so the OS can run a virus scan before you persist the file for good.
- If malware is found, discard the file immediately.
In closing
- Extensions are easy to fake, so stay vigilant!
Share:
X (Twitter)