Drongo_III Posted November 24, 2013 Share Posted November 24, 2013 Hi Guys I am after a little advice. I'm working on a fairly large volume site -2-3 mill hits a month for a large company. The reason this is significant will become clear. I'm creating a multistage signup form (though it is very specific and volumes are likely to be quite low) and part of it requires image uploads - around 2-6 images with max total file size of around 10mb. However, I am a little concerned as to whether this image upload represents a vulnerability. Images get uploaded halfway through the registration process irrespective of whether the user completes because we use the uploaded images to display as thumb nails in the page as they upload each one. I have a cron script set to run each day that cleans downs images of more than 1 day old that don't have a corresponding database record. But my concern is if someone wanted to attack the form they could probably automate an upload to the site over and over and potentially cause big problems. I was wondering if anyone else had ever encountered the same issue or concern and how you recommend getting around it. Possible ways I can think of are: log IPs and deny multiple submissions from the same IP Run the cron more frequently to clean up I have also considered some sort of unload ajax event that would call a cleanup script but I wasn't sure that would really fix this issue since a seasoned attacke rwould likely circumvent that quite easily. Any advice is very welcome. Drongo Quote Link to comment https://forums.phpfreaks.com/topic/284223-image-upload-and-security/ Share on other sites More sharing options...
sKunKbad Posted November 24, 2013 Share Posted November 24, 2013 Maybe a temp uploads table is needed, or a field in the current table that allows for serialized data to represent what is uploaded. There are lots of security issues for uploads, so I recommend checking out how some popular frameworks are handling them. Quote Link to comment https://forums.phpfreaks.com/topic/284223-image-upload-and-security/#findComment-1459849 Share on other sites More sharing options...
objnoob Posted November 24, 2013 Share Posted November 24, 2013 maybe base64 is something you could use to store the images as text along with the other form data until the form process is completed. however the other form data is cleared if the process is aborted, the image encoding would clear too. Quote Link to comment https://forums.phpfreaks.com/topic/284223-image-upload-and-security/#findComment-1459851 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.