Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
| Author |
Topic |
|
akashenk
Posting Yak Master
111 Posts |
 Posted - 2011-04-13 : 12:35:30
|
| In the past, I have always used the Server File System to store files (images, documents, etc.) which are uploaded from my web applications. The primary reason for this was ease of access and retrieval. However, for some applications I am working on now, it seems like it would make more sense to store files in a database instead. My question is in regards to security relating to these file uploads. Obviosuly, if a file is uploaded to the file system, certain security precautions need to be taken to try and avert someone trying to upload a malicious file that will do harm to the server or provide some other sort of security leak. My question is.. are there any additional or different security precautions that should be taken when storing the files in the database? |
|
|
tkizer
Almighty SQL Goddess
38200 Posts |
Posted - 2011-04-13 : 13:26:03
|
| Securing the data inside SQL is actually easier, IMO. You'd build the security into your application. You'd first have one general userid that the application uses to connect and has all of the necessary permissions. No one should know that password except the application admins. Then your application would handle an individual user's security via data in tables. Really the storing of files inside a database is no different than the other data you have to protect inside the database, the application just needs to handle it.Tara KizerMicrosoft MVP for Windows Server System - SQL Serverhttp://weblogs.sqlteam.com/tarad/Subscribe to my blog |
 |
|
|
akashenk
Posting Yak Master
111 Posts |
Posted - 2011-04-13 : 14:18:40
|
| Thanks for the info, but I was getting a little more at the security aspects of the file as opposed to securing access to the database records. If someone uploads a malicious file to the file system, then obviously the folder security is needed to make sure that files in that particular folder don't have sufficient permissions to expose the rest of the server to whatever threat the file brings. My question here is, what threats are there if a malicious file is uploaded to a SQL Server database as opposed to the file system? Is the data in the file storage column (varbinary(max), or whatever) somehow isolated? Can a malicious file be uploaded to SQL Server that could cause issues for the database instance or data/security integrity of the database server? |
|
|
|
tkizer
Almighty SQL Goddess
38200 Posts |
|
|
Michael Valentine Jones
Yak DBA Kernel (pronounced Colonel)
7020 Posts |
Posted - 2011-04-13 : 15:42:03
|
| With SQL 2008 and above, you also have the option for FILESTREAM storage."SQL Server 2008 Books OnlineFILESTREAM OverviewFILESTREAM integrates the SQL Server Database Engine with an NTFS file system by storing varbinary(max) binary large object (BLOB) data as files on the file system. Transact-SQL statements can insert, update, query, search, and back up FILESTREAM data. Win32 file system interfaces provide streaming access to the data..."CODO ERGO SUM |
|
|
|
akashenk
Posting Yak Master
111 Posts |
Posted - 2011-04-13 : 16:37:12
|
| I think the files are likely to be relatively small, so I'm not sure the FileStream option applies. But let's asusme it does. Then these files would in actuality be stored on the file system. Can I assume the hidden directory where SQL Server stores these files does not have execute or other elevated permissions? Is that something that can be changed if necessary?And, getting back to my original question whch assumes no FileStream... If the files are just stored as varbinary(max) fields, is there anything I need to be concerned about if someoe tries to upload a malicious file. Is it possible for someone to mess up a database instance, simply by storing a nefarious file on it? |
|
|
|
tkizer
Almighty SQL Goddess
38200 Posts |
|
|
|
|
|
|
|
Security Aspects of storing files in SQL Server