|
For those new to message boards please try to follow a few simple rules when posting your question.- Choose the correct forum for your message. Posting a VB.NET question in the C++ forum will end in tears.
- Be specific! Don't ask "can someone send me the code to create an application that does 'X'. Pinpoint exactly what it is you need help with.
- Keep the subject line brief, but descriptive. eg "File Serialization problem"
- Keep the question as brief as possible. If you have to include code, include the smallest snippet of code you can.
- Be careful when including code that you haven't made a typo. Typing mistakes can become the focal point instead of the actual question you asked.
- Do not remove or empty a message if others have replied. Keep the thread intact and available for others to search and read. If your problem was answered then edit your message and add "[Solved]" to the subject line of the original post, and cast an approval vote to the one or several answers that really helped you.
- If you are posting source code with your question, place it inside <pre></pre> tags. We advise you also check the "Encode "<" (and other HTML) characters when pasting" checkbox before pasting anything inside the PRE block, and make sure "Use HTML in this post" check box is checked.
- Be courteous and DON'T SHOUT. Everyone here helps because they enjoy helping others, not because it's their job.
- Please do not post links to your question into an unrelated forum such as the lounge. It will be deleted. Likewise, do not post the same question in more than one forum.
- Do not be abusive, offensive, inappropriate or harass anyone on the boards. Doing so will get you kicked off and banned. Play nice.
- If you have a school or university assignment, assume that your teacher or lecturer is also reading these forums.
- No advertising or soliciting.
- We reserve the right to move your posts to a more appropriate forum or to delete anything deemed inappropriate or illegal.
cheers,
Chris Maunder
The Code Project | Co-founder
Microsoft C++ MVP
|
|
|
|
|
Apologies for the shouting but this is important.
When answering a question please:
- Read the question carefully
- Understand that English isn't everyone's first language so be lenient of bad spelling and grammar
- If a question is poorly phrased then either ask for clarification, ignore it, or mark it down. Insults are not welcome
- If the question is inappropriate then click the 'vote to remove message' button
Insults, slap-downs and sarcasm aren't welcome. Let's work to help developers, not make them feel stupid.
cheers,
Chris Maunder
The Code Project Co-founder
Microsoft C++ MVP
|
|
|
|
|
Hi forum,
What is currently the best method, in terms of security as well as scalability and least complexity, to store user uploaded documents on a shared hosting platform?
Is it to store the uploaded documents in a secure folder(s) location with a reference pointer (file path) in the database?
Or store the documents in the database itself (blob datatype)?
Or use a nosql "document store" version of the database?
The documents uploaded will be:
Mix of sensitive information (ex. containing a living person's date of birth) as well as historical, non-sensitive information
Varying in size from 1 page or image to several dozen
Varying in document type, mainly from .pdf, image files (.png, .jpeg, etc), .doc or .txt text files (there will be no audio or video file types)
The number of documents stored in the first year is estimated between 100 and 500, with about 1000 to 1200 additional each of the next couple of years.
If/when the site outgrows a shared hosting environment, other hosted solutions will be explored.
Other info:
PHP version 8.3.2
MySQL version 8.3.0 (InnoDB type used)
Thanks in advance!
modified 7-Mar-24 15:05pm.
|
|
|
|
|
I suggest you to stick with the former approach (storing files in a filesystem).
Storing large files in DB creates a lot of overhead when scanning table, inserting new rows, etc since such records span across multiple physical pages.
As a rule of thumb consider database for a structured data and filesystem or arbitrary unstructured files.
When it comes to NoSQL storages, most of the time you still expect the data there to conform to some schema. Their main use case is leverage horizontal scaling due to relaxed transactional guaranties (you can read more on a topic "CAP theorem" if you want to).
|
|
|
|
|
Thanks for the reply and information/suggestion. I appreciate it!
|
|
|
|
|
Bohdan Stupak wrote: Storing large files in DB creates a lot of overhead when scanning table, inserting new rows,
That is true.
But nothing in the OP suggests it will be close to that. The description suggests very few docs and the content of each is small. Plus one might also infer the churn rate is non-existent.
|
|
|
|
|
we5inelgr wrote: The number of documents stored in the first year is estimated between 100 and 500, with about 1000 to 1200 additional each of the next couple of years.
If/when the site outgrows a shared hosting environment
Those statements seem to be contradictory.
You are describing a very small data set. Unless your description is incorrect.
If you go up by an order of 10, and with 5 years the number of docs are 50,000. Which might seem like a bit but your other description suggests that the size of each is pretty small. But if each is a meg then at 50k it is 50 gig of data.
But my sizing might be way over. So if it is only about 6,000 and the size is 10k, then that is only 60 meg. Which is going to fit in anything that you might have.
we5inelgr wrote: in terms of security
Secure why? You mentioned birthday. If you are a business then you need all of that encrypted. But if this is just for you then is the only security that you want is that you don't loose it? If the second is true then you need two different ways to back it up. Online and local would be best.
|
|
|
|
|
The choice between storing files in a filesystem or as blobs in a database depends on various factors, where both approaches have their own pros and cons to consider.
Filesystem -
Pros-
Considered generally faster for read and write operations compared to databases.
Much easier to scale horizontally by adding more servers with shared access to the file system.
Cons-
Handling backups and recovery might be more complex especially if it grows over time.
Keeping file data and related metadata consistent can be challenging.
Database -
Pros-
Easier to maintain consistency between file data and metadata in a transactional database.
Database backups usually cover both file data and metadata.
Cons-
Retrieving and storing large files can impact database performance.
You may face scalability challenges when dealing with a large number of files.
|
|
|
|
|
iam looking for a working sample google maps on blazor web app with loading markers from database.
Using C# and SQL Server Database.
Everything i found i written for example with syncfusion or telerik controls.
or with old asp.net
could anyone help me?
|
|
|
|
|
That seems rather complicated to me. So less likely to find it as an example.
Following at least provides examples on how to use the google API itself.
google maps api markers
|
|
|
|
|
Hi jschell, thanks. But how to include in Blazor i found nothing too
|
|
|
|
|
Again the point is that you are looking for a complete solution for something that contains multiple pieces.
You must look for each piece then put them together.
|
|
|
|
|
I'm at the end of the project finally, and I'm putting the wraps on it.
I started programming headers in PHP for cache, and then it expanded into security as well. I built a system of ECMAScript modules, and my entry point module is being blocked by my CORS header. I can't figure this out, and could use some guidance on the subject.
Here is what I have.
/assets/scripts/core
/assets/scripts/core/coreExternal.module.js
coreExternal.module.js content
window.coreExternal {
setCommissionStartDate,
setCommissionStopDate, and so forth
On the WebPage, I use a script tag to load coreExternal
<script type="module" src="/pcad/assets/scripts/core/coreExternal.module.js"></script>
This call to the module, makes the window.coreExternal functions look like dangerous inlined script.
This is my PHP header for CORS
$nonce = base64_encode(random_bytes(16));
header("Content-Security-Policy: default-src 'self' *.fontawesome.com; script-src 'self' 'unsafe-inline' /pcad/assets/scripts/core/ https://kit.fontawesome.com/ 'nonce-".$nonce."' 'sha256-...'; style-src 'self'; img-src 'self' data:;");
From reading the documentation from Content Security Policy, I added 'unsafe-inline' which should sledge hammer out my modules, but they are still blocked.
Error Message:
Content-Security-Policy: The page’s settings blocked the loading of a resource at inline (“script-src”).
Source: coreExternal.setCommissionStartDate(this… assignCommission.phtml
My Questions
I don't do CORS stuff everyday, just once every few years, and this is the first time I've done it in code, and not used the web server to program this. Perhaps I have the concept going but failed in execution, well I'm sure that's it.
- Do I need the access-control headers?
- Did I paint myself into a corner using modules the way I did?
- Is one policy canceling another policy?
I still have issues with these error messages as well
Quote: Content-Security-Policy: The page’s settings blocked the loading of a resource at inline (“style-src”).
Source: --bs-breadcrumb-divider: '>'; viewVendors.phtml
The manual style I added to the table element
Quote: Content-Security-Policy: The page’s settings blocked the loading of a resource at inline (“style-src”).
Source: width: 100%; border: none; viewVendors.phtml
These are my headers in PHP. At this point, YES I am throwing darts at the wall on this, plus SMH and
header("Cache-Control: no-store, no-cache, must-revalidate, max-age=0, post-check=0, pre-check=0");
header("Pragma: no-cache");
header("Strict-Transport-Security: max-age=31536000; includeSubDomains; preload");
header("X-Content-Type-Options: nosniff");
header("X-Frame-Options: DENY");
header("X-XSS-Protection: 1; mode=block");
header('Referrer-Policy: same-origin');
header("Access-Control-Allow-Origin: self");
header("Access-Control-Allow-Methods: GET, POST, OPTIONS");
header("Access-Control-Allow-Headers: Content-Type");
header("Access-Control-Expose-Headers: *");
header("Content-Security-Policy: default-src 'self' *.fontawesome.com; script-src 'self' 'unsafe-inline' /pcad/assets/scripts/core/ https://kit.fontawesome.com/ 'nonce-".$nonce."' 'sha256-...'; style-src 'self'; img-src 'self' data:;");
If it ain't broke don't fix it
Discover my world at jkirkerx.com
|
|
|
|
|
I replaced the script tags on the web pages to this ...
<?php $nonce = base64_encode(random_bytes(16)); ?>
<script type="module" src="/pcad/assets/scripts/core/core.module.js" nonce="<?php echo $nonce; ?>"></script>
So I don't have COR errors, I have Content-Security-Policy errors.
This error is from the input element onchange event, where I wasn't able to add an event listener, because of the data I needed to popular the function call. I'll have to rethink this.
Content-Security-Policy: The page’s settings observed the loading of a resource at inline (“script-src”). A CSP report is being sent.
Source: coreExternal.setCommissionFinishedDate(t… 72 assignCommission.phtml
OK, so this is not easy, and will require me to do way more research on the subject, and rethink some of the code in this project.
If it ain't broke don't fix it
Discover my world at jkirkerx.com
|
|
|
|
|
This is what is being outputed by the web server IIS server on server somnething version.
{
"name": "content-security-policy",
"value": "default-src 'self'; script-src 'self' swanpools-pcad-dev.occloud9.com; style-src 'self' 'unsafe-inline'"
},
Not even close to the header I wrote in PHP. I looked at IIS and didn't see any prepared headers. I'll dig down in PHP.ini and expand my search. And run the header in report only mode until I fix it. Chrome is telling me I'm in report only mode, but not Firefox.
If it ain't broke don't fix it
Discover my world at jkirkerx.com
|
|
|
|
|
I ended up with this, a compromise between using a hammer to nail it through with no more console errors, and fixing several security issues for the better. By hammering it, I can get the app running for the owner to evaluate and test, and then consider more security fixes and upgrades.
Font-Awesome or the FortAwesome free version
I removed all the Font-Awesome errors, but removing the all.min.js JavaScript file from the header elements. Turns out I don't need that JavaScript, and what it does is this.. Instead of using the fonts from Node_Modules, it fetches the latest version of the fonts and other stuff, to replace what Node_Modules has, and does things like monitor the use of the product, and causes licensing issues where it's no longer the free version. Well, the files it fetched were the free version files at least, so I got something right that I tossed in the trash.
Diagnostics
I used Mozilla FireFox at first, but it gave me generic information back, that never changed. I assume the headers I was inspecting was for public consumption. I ended up having to use Chrome in Developer mode, to see the real headers being returned from the response of the web page loading.
ECMA Script Modules
I used this to solve that issue in CSP. The use of a nonce. Declaring a master module that references child modules on a web page.
<?php $nonce = base64_encode(random_bytes(16)); ?>
script type="module" src="/assets/scripts/core/core.module.js" nonce="<?php echo $nonce; ?>"></script>
Inline scripts
I used this in the CSP rule below, to solve script within a element, calling onclick or onchange
script-src-elem 'self' 'unsafe-inline' 'unsafe-hashes';
onclick="core.setProjectType('<?php echo $apiUri; ?>', 'landscape')"
SVG like spinners and things you embed on the web page
img-src 'self' data: w3.org/svg/2000;
Warning
This is not my best work, and not completed yet, but gets the project back up and running so I can finish it and be done with it. This work does leave me with a little more work to beef up the security some more, but on my terms and not the web server or browsers terms.
If your clueless about this subject, then you can use this as a reference to model something for yourself. Remember I'm not an expert on this subject, but do understand the point. And I spent many hours doing research and reading, plus testing. It doesn't matter that this is PHP, because the principals are the same with most web technologies.
My Work
Cache Rules
header("Cache-Control: no-store, no-cache, must-revalidate, max-age=0, post-check=0, pre-check=0");
header("Pragma: no-cache");
X- Stuff Rules
header("Strict-Transport-Security: max-age=31536000; includeSubDomains; preload");
header("X-Content-Type-Options: nosniff");
header("X-Frame-Options: DENY");
header("X-XSS-Protection: 1; mode=block");
header('Referrer-Policy: same-origin');
COR Rules
header("Access-Control-Allow-Origin: <a href="https:
header("Access-Control-Allow-Methods: GET, POST, OPTIONS");
header("Access-Control-Allow-Headers: Content-Type");
header("Access-Control-Max-Age: 86400");
header("Access-Control-Expose-Headers: *");
CSP Rules
$nonce = base64_encode(random_bytes(16));
header("Content-Security-Policy: default-src 'self'; script-src 'self'; script-src-elem 'self' 'unsafe-inline' 'unsafe-hashes'; script-src-attr 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: w3.org/svg/2000; object-src data: 'unsafe-eval';");
If it ain't broke don't fix it
Discover my world at jkirkerx.com
|
|
|
|
|
I'm following this tut on js: Arrow Functions JavaScript Tutorial - What NOT to do!!! , and in the part where he explains why not to use setTimeout inside arrow functions, the justification is that they look for scope on the window. and not on the enclosed scope of arrowFunc method. But the tests i made, had the opposite results: the named functions had window, arrow function had the correct one. So:
const dude = {
name: 'dude',
namedFunc() {
console.log('name 1: ', this.name);
setTimeout(function() {
console.log('this 1:', this);
console.log('name 2:', this.name);
}, 200);
},
arrowFunc() {
console.log('name 3:', this.name);
setTimeout(() => {
console.log('this 2:', this);
console.log('name 4:', this.name);
}, 300)
}
}
console.log('namedFunc:', dude.namedFunc());
console.log('arrowFunc:', dude.arrowFunc());
Expected:
this 1: {name: 'dude', namedFunc: ƒ, arrowFunc: ƒ}
name 2: dude
this 2: Window {window: Window, self: Window, document: document, name: '', location: Location, …}
name 4:
Actual result:
this 1: Window {window: Window, self: Window, document: document, name: '', location: Location, …}
name 2:
this 2: {name: 'dude', namedFunc: ƒ, arrowFunc: ƒ}
name 4: dude
modified 16-Jan-24 16:10pm.
|
|
|
|
|
Member 16183444 wrote: not to use setTimeout inside arrow function You say don't use setTimeout inside an arrow function, but your code example is using an arrow function inside setTimeout as a callback. That's the exact opposite. Do you have a timestamp in that video where he speaks of this?
Anyway, to your point, a lot of people get confused about this and lexical scope. I have no idea why there's so much disinformation in JavaScript's ecosystem. But alas, there is. When in doubt, trust what MDN says or, as in this case, your own testing.
From MDN: Arrow functions don't have their own bindings to this Which means, arrow functions don't bind their own scope. They inherit it from the parent one. A regular function will always define its this value. The value of this is determined by how a function is called. To put it simply, the this in the setTimeout function for the regular anonymous function is using the this of setTimeout 's scope because setTimeout is what calls the function.
Don't know what the dude said in the video because I didn't watch the whole 30 mins. But, that's the reason for the behavior you're seeing.
Jeremy Falcon
|
|
|
|
|
Is there a server-side web framework like WordPress but built on Microsoft technologies?
The difficult we do right away...
...the impossible takes slightly longer.
|
|
|
|
|
Googling suggests alternatives but I didn't look to see how they were built.
wordpress alternative windows
|
|
|
|
|
You're right! I should have Googled it first.
But thanks for the recommendation.
The difficult we do right away...
...the impossible takes slightly longer.
|
|
|
|
|
Can someone help me understand whether PHP is compiled or interpreted?
I googled it and was left very confused.
It sounds like PHP is compiled to some type of bytecode. But, I have never seen another file created (an executable).
I can't imagine PHP would re-compile each script.php every time it is used, but I don't see any .exe files getting created.
Anyone know how PHP really works? It seems like almost no one knows.
Thanks.
|
|
|
|
|
|
There is not a clear, absolute distinction. Old style interpreters would interpret the statements of a loop from source code on every iteration of the loop, and similar with other constructs.
To speed up execution, interpreters began (at least 25 years ago, maybe earlier) when analyzing a statement, to leave the analysis in a memory cache. So for a loop, the analysis was done the first time through. Following iterations skipped the analysis step, and rather picked up the analysis from the cache.
As this became more common, the analysis results became more formalized into some variant of P-code, suitable for direct interpretation. When done as a separate step, for an entire program or program module (e.g. the classic Pascal compiler from ETH Zürich), it is always called a compiler. So when the php runtime system does the same thing for a loop, you might say that it is a compiler, compiling that loop.
Another change over time: The first interpreters to save analysis results for later use did it line by line, or statement by statement. More recent interpreters compile larger units, e.g. a complete method, in order to apply optimizations such as moving invariants out of loops, calculating common expressions once only etc.
If the generated code follows a well defined grammar, the runtime compiler may save it to a file or cache. Compare it to dotNet: The IL code(*) of an assembly is compiled to binary machine code by the "jitter" (Just In Time compiler) first time it is run. The jitter also saves the binary code in a (persistent) disk cache that is usually not seen by neither programmer nor user; it is in a file space managed by the jitter alone. Next time the same assembly is run, the jitter first looks in its cache: If an already compiled version is found there, it is loaded, and the JIT compiling is bypassed.
A similar (persistent) caching (of P-code) might be employed by an interpreter. It should not affect the source language - the same source may be interpreted on one machine, compiled to P-code on the fly on every execution on another machine, while a third machine may have an interpreter looking in its cache for an already compiled variant.
This may be applied to a lot of different languages: You could make an interpreter to P-code on the fly, for subsequent immediate interpretation by an interpreter. Usually, you think of Java as a compiled language, but if you integrate JVM with the compiler, they might appear externally just as 'interpreted' as, say, PHP.
(*) dotNet IL code and P-code are at comparable abstraction level. The difference is that P-code is designed to be directly interpreted by a virtual machine; it is complete and ready for running, like a binary machine code (although not the machine code of the real machine you are running). IL code has a lot more 'loose ends' that must be tied up; there are more final decisions to be taken, but then there is more freedom when generating final binary machine code for that specific real machine. You cannot move this binary code to another machine; it may have a CPU missing a few instruction set options (the jitter makes binary code to make use of anything that is available), or maybe a completely different binary instruction set. P-code (usually) can be moved to other machines of arbitrary architecture and instruction set.
Note that P-code (or bytecode) is not a single firmly defined format. There are different P-codes, Java bytecode is not identical to the classical Pascal P4-code (although it is said to be heavily inspired by P4).
Religious freedom is the freedom to say that two plus two make five.
|
|
|
|
|
Sorry, why atre you telling me this?
|
|
|
|
|