User-files organization in a Web server

Question

I'm developing a Web application where users can upload files.

Suppose to have different file categories, e.g. audio and docs. I guess I can put all the files that belongs from a category in a unique folder, e.g.:

audio_dir
  -file_from_user1.mp3
  -another_file_from_user1.mp3
  -file_from_user2.mp3
  -file_from_user4.mp3
docs_dir
  -file_from_user1.doc
  -file_from_user5.pdf

The other solution I'm evaluating uses a third level, where files are grouped by users.

audio_dir
  user1_dir
    -file_from_user1.mp3
  user2_dir
    -file_from_user2.mp3
  user4_dir
    -file_from_user4.mp3
docs_dir
  user1_dir
    -file_from_user1.doc
  user5_dir
    -file_from_user5.pdf

Which solution is the best? Please, notice that I'm interested in server security vulnerabilities and scalability.

Answer 1

In terms of security you should store the files outside of the web root. This effectively avoids someone from uploading a *.php or a *.pl or a *.py or .htaccess or any other executeablible script that maybe executed based on the HTTPD's configurations. I would also pass the file name though basename() before writing the file to prevent directory traversal attacks.

Then you can have a PHP script serve the file. You can also add user access control and file ownership by mapping the files to metadata stored in a SQL database.