Advice on allowing anonymous file uploads
I'm redesigning the website for a very small employment agency using PHP to give them some interactivity with their site. Up until now, they've just been having people e-mail them their resume if they're interested in applying for a position, but I'm redesigning it so they can have a list of jobs available where the person can click Apply if they want to apply for a job.
The problem is that we've been talking about letting the person upload a resume, but I've read on other sites that allowing just anyone to upload files opens the door to hacking/viruses and so on. We've talked about it enough that we know we definitely don't want this to be a site where anyone who applies for a job has to register for an account with the site, because the company is way too small for that, and that sort of programming goes beyond the amount of time/money that the client wants to spend.
So basically, I'm just wondering if someone can tell me how bad an idea it is to allow anonymous uploads. The company exclusively uses Macs, so viruses aren't a HUGE issue, but I imagine they are still something to worry about, since I've heard about Macs getting viruses through exploits in Java before. I also wasn't going to store the uploaded file in a database, just save it on the server and allow employees to download it by logging into their accounts, so compromising the database hopefully shouldn't be an issue. But I do imagine someone could exploit the uploading feature by sending massive requests if they wanted to hack the site, or something like that. But then, I'm not sure if that's a serious possibility, considering that they are very small and they've just been posting their e-mail address on their website for people to send their resumes all this time, and they haven't had any problems.
It might actually be safer for the web server if you store in in the database, probably as a BLOB type column. That way any uploaded file could not be executed, it would just be an arbitrary set of bytes stored in the DB. As to what might happen if you download the file to your local PC/Mac, that's a separate issue (that hopefully your anti-virus software will take care of).
"Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
~ Terry Pratchett in Nation
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)
Tags for this Thread