Storing files in the DB is a recipe for disaster. Depending on your
front-end web server and back-end DB engine, DB storage is fraught
with timeout errors, database locking issues, query time issues, etc.
etc. It can be done, but it's a bad idea.
> 2) Should give everyone a file folder on the server, but then how do
> I secure it?
We use Amazon S3 and the Boto Python Library to upload files to the S3
DHT distribution network with an ACL marking the files private, then
use Boto to generate signed URLs that timeout after a few minutes.
This secures the files from general snooping, and secures them from
being accessed at a time not of your choosing.
> By the looks of it, My wife's Facebook page private images seem to
> be secured by using a complex path. I would prefer something better.
DHT names on Amazon S3 can be any ASCII text. Slashes (indicating
directory separation to most people) mean nothing to S3, allowing you
to use them if you really want to. (The entire system is treated as a
dictionary of name/value pairs.)
Additionally, you can store 4KB (I'm guessing here, we've never
encountered a limit) of arbitrary name/value pair metadata against
each object in the S3 DHT, which can be very handy.
— Alice.