10

From a programming perspective, there has long been a debate over whether to store files in a BLOB or Binary field in a database, or on the file system. The debate always seems to center around performance.

I've always wondered about the risk of infected files being saved in the database. Suppose I allow internal users to upload documents that are available on our company's website to our external customers. I would really hate to have our website serving infected PDF documents to our customers, for example.

Aside from incorporating policies that require our content editors to scan files before uploading them, is there any sort of protection that can be implemented to detect infected documents? I can't imagine that anti-virus can scan within BLOB fields (but I could be wrong on that).

It just seems more risky to me. If we have them upload to the file system, as can at least have anti-virus scanning the upload location.

Is this a valid concern? And if so, what tools or approaches are recommended for dealing with this potential threat?

Gilles 'SO- stop being evil'
  • 51,415
  • 13
  • 121
  • 180
David Stratton
  • 2,686
  • 2
  • 21
  • 37

3 Answers3

11

This has been answered before on this site, in extensive detail. See these questions:

The answer to your question about databases and the format of the file is: it doesn't matter how you store the file. The risks are the same whether the uploaded file is stored as a BLOB, as a binary field, on the file system, or in some other way. That's just an implementation detail.

What's important is what kind of validation you do, and how you address the threats. Any of the standard mitigations can be made to work, no matter how you decide to store the uploaded file -- the important thing is that you understand the risks and select mitigations appropriate that are appropriate for your application.

For general advice relating to web security, OWASP is always a good resource.

D.W.
  • 98,860
  • 33
  • 271
  • 588
3

Storing a file in a database or storing it as a file both be done in a secure or insecure way. There are also databases that are designed to store files, such as Amazon S3 and Google Blobstore. Even though it is stored as a BLOB datatype, the database is storing everything in a file on the file system.

There are always security concerns, and there is very little difference between these approaches. Its more about building an application that accounts for threats.

rook
  • 47,004
  • 10
  • 94
  • 182
0

Depends on the database platform. With Oracle you can mount the 'database' as a file system (at least in Linux). As such you've got a few more options for storing/scanning the files.

http://docs.oracle.com/cd/E14072_01/appdev.112/e10645/adlob_fs.htm

Basically a database and a file system are both just data storage mechanisms.

Gary
  • 904
  • 7
  • 12