I'm developing a Web application where users can upload files.
Suppose to have different file categories, e.g. audio and docs. I guess I can put all the files that belongs from a category in a unique folder, e.g.:
audio_dir
-file_from_user1.mp3
-another_file_from_user1.mp3
-file_from_user2.mp3
-file_from_user4.mp3
docs_dir
-file_from_user1.doc
-file_from_user5.pdf
The other solution I'm evaluating uses a third level, where files are grouped by users.
audio_dir
user1_dir
-file_from_user1.mp3
user2_dir
-file_from_user2.mp3
user4_dir
-file_from_user4.mp3
docs_dir
user1_dir
-file_from_user1.doc
user5_dir
-file_from_user5.pdf
Which solution is the best? Please, notice that I'm interested in server security vulnerabilities and scalability.
In terms of security you should store the files outside of the web root. This effectively avoids someone from uploading a *.php or a *.pl or a *.py or .htaccess or any other executeablible script that maybe executed based on the HTTPD's configurations. I would also pass the file name though basename() before writing the file to prevent directory traversal attacks.
Then you can have a PHP script serve the file. You can also add user access control and file ownership by mapping the files to metadata stored in a SQL database.