I store uploaded files in the web directory:
//src/Acme/CocoBundle/Entity/CocoFromTheNorth.php
/**
 * @ORM\Column(type="string", length=255, nullable=true)
 */
public $path;
protected function getUploadRootDir()
{
    return __DIR__.'/../../../../web/'.$this->getUploadDir();
}
protected function getUploadDir()
{
    return 'uploads/documents';
}
Is this a good practice? Wouldn't it be better to keep uploaded files outside the web directory so that they cannot be directly accessed by the users?
Am I right to think that the best way would be to store uploaded files outside of the web root? Where would it be the best then? Or how could I configure the web server to deny access to the uploads directory?
Top secure file transfer protocols include SFTP, FTPS, and AS2. Each of these offers stronger encryption than standard FTP, as well as additional safeguards, including keys, passwords, and certificates to authenticate users or connections.
Store files in the cloud You can keep them safe in the cloud, but first, you have to know about the security of your storage service. Many popular file-sharing services, such as Dropbox, encrypt your data—but this doesn't make them completely private.
It's preferred to keep uploaded files outside of the web directory and use X-SendFile to serve those files after you established the access permissions using PHP.
I've outlined something similar here: How to securely store files on a server
And here: Caching HTTP responses when they are dynamically created by PHP
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With