Secure File Storage

Hi,

I am developing an application in which the user will be able to upload certain document.

What is the best way to store these document to ensure that they are safe? I don't want anyone to be able to access them except the person that uploaded them.

I came up with the following ideas.

1. Store them in MySQL and then when needed create document on the fly
2. Create a folder for each user and store images in there. then password protect folder via .htaccess when files are needed user is automatically logged in to retrieve them. In addition mod_rewrite is used to hide the userid (which would be the folder name )

Which one is best? Any other way to do it better?

 

Ehhhh Number 1 i definitely wouldn't do,

Number 2 is suitable with a few tweaks. Also you can look at using php's encryption functions ex. rsa . blowfish all of that to take it a step further

 

How would I use the encryption functions to encrypt and then decrypt files?

 

Check out http://us.php.net/manual/en/function.mcrypt-encrypt.php

You would keep a reference of each users keys in the database and use that to encrypt/decrypt there files on the file system

 

How secure would this be?

 

Depends on which cipher you use.. look into aes 128 (safety margin is larger than aes 256) or blowfish something along those lines... just gotta make sure you implement it correctly

 

Thanks for your excellent Feedback.

Is there anyone else that can give advice?

 

No problem you can check out http://devzone.zend.com/article/1265 thats another way of doing it .

 

You can also store files outside of your web directory - in /home/yourname instead of /home/yourname/www and use PHP to content-disposition/attachment and spit it out without letting anyone be able to access it directly over the internet