(I've seen a few threads but they'e older and closed.) I have clients who want to be able to upload documents to the site and 'link' them to their records. These are clients who are registered users; this is not a public site. From what I've gathered, the preferred method is to develop a file upload procedure in the web app that allows users to load their files into a predetermined folder or folders off the root directory. Obviously the procedure will limit file types to pdf, jpg, doc, and maybe a few other non-exe types. My question at this point (designing, no dev yet) is twofold: 1) While security risks are relatively low with this small group of approximately 20 registered users (who happen to be churches), is there something I should do to manage security risks of files, or does DASP have the safeguards at another level? 2) Will their uploaded files be included in routine backups? Thanks, Jeff
You should always validate/sanitize user input, even if those users are trusted. Your trusted users computers can be compromised, which is a path to your site. How you do that, specifically, would be determined when you get to development phase. Any files in your web space are backed up. So as long as the directory is at your site root or below it will be backed up.
