Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

Hi Monks

I am developing a script which will allow users to upload files, the files will be fairly large (around 1/2 MB) and will be uploaded through a standard form.

These files are fairly sensitive and need to be stored as securely as possible, I'm not sure which is best for this, is it possible to store them in mysql, and with those sizes? or it may be best to just use an upload folder, with a .htaccess file

I'm also a little unsure on how to approach the basic upload code, if anyone could point me in the right direction i would greatly appreciate it

Warm Regards

Replies are listed 'Best First'.
Re: File Uploading
by khkramer (Scribe) on Jan 02, 2002 at 04:41 UTC

    As grep notes, asking how to securely store your files opens up a big can of worms. You can certainly store multi-megabyte chunks of information in mysql, but that's not really the issue. Mysql isn't a way to store things securely anymore than the filesystem is. You probably want to think (read/learn) some about encryption and security in general.

    As for file uploads, the Apache::Request module is great. Here's a bit of simple code to handle file uploads in a mod_perl context. 

    Package UploadDemo;

use Apache::Constants ':common';
use Apache::Request;

sub handler {
  my $r = Apache::Request->new ( shift );
  get_file($r);
}

sub get_file {
  my $r = shift;
  eval {
    # slurp
    local $/ = undef;
    my $upload = $r->upload ( $name_of_file_upload_field );
    my $fh = $upload->fh();
    my $uploaded_string = <$fh>;
    # save
    # ... (save code/call here)
  }; if ( $@ ) {
    $r->log_error ( "upload failed -- $@" );
    return SERVER_ERROR;
  }
  $r->content_type ( "text/plain" );
  $r->print ( "ok -- file was uploaded" );
  return OK;
}

    [download]
    You'll need to do a little Apache configuration to hook a url to the UploadDemo handler sub, of course. Something like: 
      <Location /upload.html>
    SetHandler perl-script
    PerlHandler UploadDemo
  </Location>

    [download]

    Or, if you're doing this in Mason or some other templating environment, you can strip this code down even a little further, to get the hang of things. I usually prototype this kind of standalone thing in Mason, then flesh it out as a mod_perl module when I'm happy with the logic.

    Note that slurping the whole thing into a single scalar will be more memory-intensive than looping over the filehandle a line at a time. The Apache::Request documentation gives more examples and details (including describing a nifty UPLOAD_HOOK that can be defined to -- among other things -- display a progress meter as the file is read in.)

    Kwin
[reply]
[d/l]
[select]
Re: File Uploading
by grep (Monsignor) on Jan 02, 2002 at 02:25 UTC
    This is not really a perl question, so I can't offer a perl answer. If you are really concerned about the security of these files, you will need to do quite a bit of reading. You have several things to consider: physical security, encryption, transmission, intrusion detection, and on and on. Far more than I can go into here. Then all this information is completely platform dependant. I would recommend the ORA books on security Prac Unix and Internet Security Securing Windows NT/2000 Servers for the Internet and Hacking Exposed 2nd Ed by Osborne.

    As an admin directly responsible for security of NT, 2000 and Linux boxen, I would highly recommend leaning towards a *nix solution. I patch M$ products weekly without a break.

    grep 
    grep> cd pub
grep> more beer

    [download]
[reply]
[d/l]

Back to Seekers of Perl Wisdom