where is the best place to save images from users upload

by

You should NOT store the user uploads anywhere they can be directly accessed by a known URL within your site structure. This is a security risk as users could upload .htm file and .js files. Even a file with the correct extension can contain malicious code that can be executed in the context of your site by an authenticated user allowing server-side or client-side attacks.

See for example http://www.acunetix.com/websitesecurity/upload-forms-threat.htm and What security issues appear when users can upload their own files? which mention some of the issues you need to be aware of before you allow users to upload files and then present them for download within your site.

  1. Don’t put the files within your normal web site directory structure

  2. Don’t use the original file name the user gave you. You can add a content disposition header with the original file name so they can download it again as the same file name but the path and file name on the server shouldn’t be something the user can influence.

  3. Don’t trust image files – resize them and offer only the resized version for subsequent download

  4. Don’t trust mime types or file extensions, open the file and manipulate it to make sure it’s what it claims to be.

  5. Limit the upload size and time.

More Related Contents:

  1. How to validate uploaded file in ASP.NET MVC?
  2. How to remove ASP.Net MVC Default HTTP Headers?
  3. How to display an image from a path in asp.net MVC 4 and Razor view?
  4. Customizing authorization in ASP.NET MVC
  5. What ‘sensitive information’ could be disclosed when setting JsonRequestBehavior to AllowGet
  6. “Security aware” action link?
  7. Session variables in ASP.NET MVC
  8. MVC4 DataType.Date EditorFor won’t display date value in Chrome, fine in Internet Explorer
  9. Two related questions on jqGrid column header filters and the advanced filtering dialog
  10. ASP.NET MVC How to pass JSON object from View to Controller as Parameter
  11. How do you request static .html files under the ~/Views folder in ASP.NET MVC?
  12. How to lock down paths in ASP.NET MVC?
  13. Why should I use view models?
  14. Multiple DB Contexts in the Same DB and Application in EF 6 and Code First Migrations
  15. How do you share scripts among multiple projects in one solution?
  16. Mocking Asp.net-mvc Controller Context
  17. Why is Model Binding not working in my POST action method?
  18. Json.Net: Html Helper Method not regenerating
  19. HTML.ActionLink vs Url.Action in ASP.NET Razor
  20. How to send a model in jQuery $.ajax() post request to MVC controller method
  21. How does RequireJS work with multiple pages and partial views?
  22. Differences between Html.TextboxFor and Html.EditorFor in MVC and Razor
  23. MVC controller is being called twice
  24. Adding a controller factory to ASP MVC
  25. keyword not supported data source
  26. ASP.NET MVC5/IIS Express unable to debug – Code Not Running
  27. Best practices for debugging ASP.NET MVC Binding
  28. How to compile cshtml before runtime
  29. CORS in ASP .NET MVC5
  30. Incompatible Data Reader Exception From EF Mapped Objects

Leave a Comment