0

I have a site where people can upload photos and crop them. The code to do the upload is below:

    <form action="scripts/ajax/ajax_photo_processing_functions.php?photos=photoUpload method="post" enctype="multipart/form-data">
        <input type="file" name="file"><br>
    </form>

I wanted to ask if I should be concerned with people uploading (or using a script/bot/hack/) to upload an endless number of photos until a server/php file system was 100% full and potentially caused the server to fall over.

I understand if this is a silly question but I just wanted to understand if other people see this as an issue and what they might do about it?

thx

Adam
  • 19,932
  • 36
  • 124
  • 207
  • Well, it all depends on you. If you want to let them upload an unlimited number of files, and if they abuse this advantage, (although it's extremely hard) it's possible to do what you're worried about. – Mohammad Tomaraei Dec 14 '13 at 11:22
  • The same applies to any kind of POST request: http://stackoverflow.com/questions/2364840/what-is-the-size-limit-of-a-post-request – Ciro Santilli OurBigBook.com Nov 10 '14 at 08:01

2 Answers2

1

You need to count the number of photos uploaded in a session (on server) per user. If this reaches a threshold, then block it for a while. However, you'll need to make sure that only humans can start a session. Do this using well know techniques like forcing users to sign in for the service, maybe having to solve a captcha before...

hek2mgl
  • 152,036
  • 28
  • 249
  • 266
1

Prevent Excessive Upload

  • Limit number of photo user can upload per certain period. For example: a single IP can only upload 5 pictures per 10 minutes.
  • Limit size per photo. For example: 2mb per photo.

Free Unnecessary Files

  • Even we can prevent user to rapidly upload the file, they can upload many unused photo and eventually, it will build up. You can have a single program to check if any photo has not been used for 3 months, and delete them.

Prevent Duplicate Photo

  • You can hash every uploaded picture. If the new uploaded picture is existed, check if the content of the existing picture and the new uploaded picture is the same.

Prevent Large-Scale Attack

  • Even if limiting number picture that can be uploaded helps, it does not help If they attack by using 10,000 different IP to uploading picture. You can have a global counter, if there are more than 1,000 picture has been upload in the last period of 10 minutes, enable global captcha which means that user need to input captcha to upload picture.
invisal
  • 11,075
  • 4
  • 33
  • 54