Security/Malware implications of storing data in a BLOB as opposed to the file system
This has been answered before on this site, in extensive detail. See these questions:
- What are the security risks of letting the users upload content to my site?
- Is it necessary to scan users' file uploads by antivirus?
- Antivirus for scanning anonymous file uploads
- What steps should be taken to validate user uploaded images within an application?
- What are security risks of serving user uploaded files without Content-Disposition?
- Why should I restrict the content type of files be uploaded to my site?
- Is it safe to store and replay user-provided mime types?
- Is it safe to serve any user uploaded file under only white-listed MIME content types?
The answer to your question about databases and the format of the file is: it doesn't matter how you store the file. The risks are the same whether the uploaded file is stored as a BLOB, as a binary field, on the file system, or in some other way. That's just an implementation detail.
What's important is what kind of validation you do, and how you address the threats. Any of the standard mitigations can be made to work, no matter how you decide to store the uploaded file -- the important thing is that you understand the risks and select mitigations appropriate that are appropriate for your application.
For general advice relating to web security, OWASP is always a good resource.
Storing a file in a database or storing it as a file both be done in a secure or insecure way. There are also databases that are designed to store files, such as Amazon S3 and Google Blobstore. Even though it is stored as a BLOB datatype, the database is storing everything in a file on the file system.
There are always security concerns, and there is very little difference between these approaches. Its more about building an application that accounts for threats.