Okay, I have a slight confession to make. I was going to store the files in a database but I didn't know how to serve them back out to the users (hanging my head in shame). Since I have a very tight deadline (they start using my work the day after I am writing this), I just quickly went with what I knew to get it up and running.

I'll be revisiting this after a week or so to clean things up (they'll use it for a week and then stop), so if anyone can point me in the right direction for serving files directly out of MySQL using CGI.pm and DBI.pm, that would be great.

Also, I'm just storing the files directly, I do have a table in my database which stores the other information you mentioned. Wouldn't it be faster have the user link directly to a file rather than a script that will serve the file?

As a side note, the group I am doing this for (who will remain nameless for legal reasons) is a non-profit group who couldn't afford to hire a really high-end Web development company, so I'm doing it for them for next to nothing. I think that's a mistake I'm not likely to repeat.

You'll have to store some sort of ID with the file, perhaps the supplied file name from the upload routine.

Since it goes straight into the database (be sure to quote it or use a DBI placeholder), you don't have to worry about the security implications of passing user data through the shell as part of an open statement.

You can also use a simple SQL SELECT statement to pull the file out of the database: SELECT file from saved_files WHERE name = ?;

Can you provide a little more detail on what exactly the sheets are composed of, etc? Are they HTML themselves, or are they fields from an HTML form? Does the data need to be reformatted on output, or is the data self-describing (akin to dumping HTML from a file straight out to a browser)?

Here's an instance. If you were storing GIF or JPG files in a database, and you wanted to display them in a 2 x 2 table, for each TD in the table you have an IMG SRC tag that read something like IMG SRC="myscript_getimage.pl?item=x", where 'x' was some unique identifier (like an auto_increment field) from the database.

The 'myscript_getimage.pl' would then be executed for each image to be displayed, and kick out the JPG or GIF.

Conversely, if the file is some sort of data file that goes into another program (say TestGrader.tgf), when they clicked a link or a field in a table (use that JavaScript! Use that OnClick event!), you could download the file to their machine (via the save file dialog, like you most likely get when you download a .ZIP file). Or, you can register a handler for it, and open the application directly, much like downloading a .PDF typically does.

There are lots of ways to manage data like this. If you can clarify your goals for the monks, I imagine we can come up with a suggestion to guide your down a more optimial path of elightenment. (Heh. Or you could see if you could get two dozen monks to collaborate, and turn your project into OpenSource).

--Chris

Personally, I'm inclined not to store the actual file contents in the database, because I feel that it complicates matters. My preference is to store the path to the file in the database, as well as any metadata about that file, then just store the file in the filesystem itself.

When you want to serve a file (I assume you mean over an HTTP connection), you can just set up a script to grab the filename from the db, grab the metadata, etc. I'm pretty sure you could then just issue the correct Content-Type, then open up the file and spit it out to the browser. Be sure to use binmode if you're running on a Windows machine (or one that makes a distinction between text and binary files).

Thanks for the info!

Using your script (I believe), the user could upload a .htaccess file. The user could also upload a cgi file (for example), that the .htaccess allows to be run, and Poof!, the user now has full access to whatever the webserver id can do (On most systems this is limited, but does include just about everything on the website). In Ovid's example, the user could get access to the database, and twiddle any bits there (grades/scores?)

I am also interested in giving users the ability to upload files to my website. Is it safe to allow users to upload a file as long as I name the file myself? I have an art business and I usually do drawings from photos. Ideally, I would like visitors of my site to be able to submit an image file to my site so I could give them a price quote for a drawing (or painting, etc). Do I need to take other precautions as well? Thanks, Rad (an humble newbie in Dallas)

Is it safe to allow users to upload a file as long as I name the file myself?

In general, yes (be sure to also control _where_ the file is going). Read up on perlman:perlsec and http://www.w3.org/Security/Faq/wwwsf4.html

This was just a sideline project, but based on the interest shown here, I now intend to finish it as quickly as I can.

/msg me or send email if you're interested...

Russ