Where to store user uploaded files in asp.net MVC 4 webapp?

Question

Im building an MVC4 app using a seperate database multi tenant architecture. The customers also have the option to upload files (mostly 1-5MB in size, textfiles/documents).

I concluded that its better to store the files in a filesystem while keeping metadata in the database (seperate folder for each customer), however, I have no clue on where to store the files. Does MVC have special locations for this? Or should I just create a folder on the server somewhere.

And is creating folders like this secure by default?

Thanks!

Answer 1

Well, I would like to advise for the following, Gitzerai already gave a lot to think about.

Gitzerai maybe you will find here something you missed out when creating solution to your apps.

Anyway,

you can upload files on the file system but there are several things you need to watch out for.

• Make sure that account running the IIS application pool only has read-write privileges to that folder and not execute under any circumstances

• Check file extension and disallow and executables (.exe, .dll and more)

• Store the files w/o extension or with some .zzz extension just in case. When user needs to download the file you can dynamically set to original extension

• Use only one folder for storing all files that is created manually. Avoid creating multiple folders dynamically if not really needed

• Create a separate app that will occasionally do an integrity check for records in database vs files in the file system

Answer 2

Personally, I would say that such decision should be based on your application requirements.

When I am building simple app with upload possibilities, I always use the DB = Metadata; File itself = filesystem, as I have a module I implement to every app like this and it is an approach easy to maintain. It could possibly bring security issues, especially with multi-user/app access server, where security of "folder access" should be maintained on a root folder level with permissions strictly defined (not chmod 777 everyone :-)) So far I have not had a single issue with this approach. External access is linked by external guid for specific file.

For multi-tenant environment my file databases (or s I call them media databases) contains also CDN url, i.e. address to server physically hosting the file, and the file is served by HttpHandler. Again, I can imagine more secure and flexible way, but this has never failed me so far, and I am aware of the issues it acompanies this solution and I am fine with that.

But since this is an interesting topic for me, I would love to hear if someone proposes a different solutions, when it comes to filestorage.