Jump to content

Recommended Posts

Hi Guys

 

I am after a little advice.

 

I'm working on a fairly large volume site -2-3 mill hits a month for a large company. The reason this is significant will become clear.

 

I'm creating a multistage signup form (though it is very specific and volumes are likely to be quite low) and part of it requires image uploads - around 2-6 images with max total file size of around 10mb.

 

However, I am a little concerned as to whether this image upload represents a vulnerability. Images get uploaded halfway through the registration process irrespective of whether the user completes because we use the uploaded images to display as thumb nails in the page as they upload each one.

 

I have a cron script set to run each day that cleans downs images of more than 1 day old that don't have a corresponding database record. But my concern is if someone wanted to attack the form they could probably automate an upload to the site over and over and potentially cause big problems.

 

I was wondering if anyone else had ever encountered the same issue or concern and how you recommend getting around it.

 

Possible ways I can think of are:

 

  • log IPs and deny multiple submissions from the same IP
  • Run the cron more frequently to clean up

I have also considered some sort of unload ajax event that would call a cleanup script but I wasn't sure that would really fix this issue since a seasoned attacke rwould likely circumvent that quite easily.

 

Any advice is very welcome.

 

Drongo

 

 

Link to comment
https://forums.phpfreaks.com/topic/284223-image-upload-and-security/
Share on other sites

Maybe a temp uploads table is needed, or a field in the current table that allows for serialized data to represent what is uploaded. There are lots of security issues for uploads, so I recommend checking out how some popular frameworks are handling them.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.