0

I'm developing a web app that is going to have many files for news, photo galleries, users, products...also PDF documents associated to database records.

I'm going to store the images & docs in folders in the server and I'm wondering if it is a good practice or it is not necessary to encrypt those files & folders.

So, for example, for a photo gallery , let's say GalleryId = 233, I'm going to create the folder "~/Files/Galleries/233/" and store all the photos inside. Also for a certain document, let's say "DocId = 22", I'd need the root "~/Files/Docs/22.pdf"...

Would it be necessary to encrypt those numbers so the users don't see the real Ids and see something like "aR2wdwewei"...?

Waste os time? Better to encrypt? Pros and cons?

Thanks in advance.

teo van kot
  • 12,031
  • 10
  • 37
  • 66
John Mathison
  • 856
  • 1
  • 9
  • 33

1 Answers1

0

I suppose there is no difference between int ID or hash Id except one.

If someone wants to download all your server files with int name files it will be much more easier for him to get all data.

So if you want to protect yourself from this kind of "bruteforce download" - use GUID.

It's even better to create controller method that will return you any file you want. That way you will have one place where you can write access logs and restrict access if you need.

teo van kot
  • 12,031
  • 10
  • 37
  • 66
  • Well, my entities have int, not guid, but what I do is encrypt the Id with an algorithm to a base 64 name. ALso, could you explain me the controller method thing? – John Mathison Nov 28 '16 at 14:58
  • @JohnMathison just create 1 method to with you pass your hash and it will return file to you. – teo van kot Nov 28 '16 at 15:12
  • could you please put a link or something with an example...(sorry). Thanks. – John Mathison Nov 28 '16 at 15:21
  • @JohnMathison check what we got [here](http://stackoverflow.com/questions/3604562/download-file-of-any-type-in-asp-net-mvc-using-fileresult) – teo van kot Nov 28 '16 at 15:22
  • Thanks @teo, but those files are not for download only, I'm also talking about the file we publish in the site, such as product files...nobody downloads those images, are just there so people can see the files. Do I need todo the same woith those files? – John Mathison Nov 28 '16 at 19:01
  • Yeap, you do. There is no difference – teo van kot Nov 28 '16 at 19:09