0

I have file upload script as below (upload.php). As I can guess, someone can write script that sends 1000+ files to upload.php at the small period of time.

So, how to protect myself from numerous file uploads attack?

<?php
    if (!empty($_FILES)) {   
        $ds = DIRECTORY_SEPARATOR;
        $storeFolder = 'uploads';

        $rand_dir = rand(1, 1000);
        $targetPath = realpath(dirname(__FILE__) . '/..') . $ds . $storeFolder . $ds . $rand_dir . $ds;
        $targetPath_clean = $storeFolder . $ds . $rand_dir . $ds;

        if (!file_exists($targetPath))
            mkdir($targetPath, 0777, true);

        $filename = date('YmdHis_') . generateRandomString() . '.' . pathinfo($_FILES['file']['name'], PATHINFO_EXTENSION);

        move_uploaded_file($_FILES['file']['tmp_name'], $targetPath . $filename);
        echo $targetPath_clean . $filename;
    } else {
        die('access denied');
    }
?>
Gray
  • 7,050
  • 2
  • 29
  • 52
sirjay
  • 1,767
  • 3
  • 32
  • 52
  • not possible. php doesn't run until AFTER the upload has completed. there is literally nothing you can do in php to prevent the problem. – Marc B Jul 29 '15 at 17:08
  • http://stackoverflow.com/questions/9813556/count-and-limit-the-number-of-files-uploaded-html-file-input – Huang Chen Jul 29 '15 at 17:09
  • What if 1000+ legitimate users are trying to send file to upload.php at the same time ? – frz3993 Jul 29 '15 at 17:12

1 Answers1

1

This mainly depends on what you want to achieve.

If form is anonymous you can use kind of capatcha or limit the file upload from one host (e.g. saving given IP in database and limiting its ability to upload further files). If your script requires user authorization you can limit file upload by given login.

Please give us more details what is your business logic so we will be able to help you.

Abdel5
  • 1,112
  • 3
  • 16
  • 39