Refreshing the page = uploading the file again and again

[Dan_y2k]

In DFH v1.2.9, after I'm uploading via normal input and getting to the "separate" page ./upload.php?do=verify and hitting the refresh button, my browser asks my permission to resubmit the form, and if I hit ok - it uploads the same file all over again. Just imagine what can happen if someone who wants to harm your website will come up with a way to automate this process - and then you'll have a big server load and small free webspace on your hands.

I've looked up for some solutions, and I think that the best one is to set a hidden input named postcheck which contains a random md5 number, and check it against the current session, and of course that it will change in every page load.

The code here is just a small example which I haven't tested, but it'll maybe help with thinking of a good implementation.

Code: Select all

if( ($_SESSION['postcheck'] != $_POST['postcheck']) )
{
    return false;
} else {
    return true;
}

Thanks.

[SamEA]

Hi Dan_y2k,

Adding session verification to this process will not prevent any sort of automated systems from reuploading the same file again, as such systems are capable of retrieving this data the same way a browser will be able to. The only way you can prevent abuse, would be handled at the web server level (i.e Apache) or by adding a captcha each and every time to a new file upload.

The only other method would be verifying if the file was uploaded by the same user, but again, an automated system could continuously travel on different IP addresses.

I have never heard of DFH users having any issues with abusive server load. Are you experiencing any? If so, I will look further into this.

Thanks,