限制用户上传PHP
[英]Limit User Uploads PHP
问题描述
I have a script that allows anyone to upload a file under 200 MB and after the file is downloaded once it will delete it, and after 24 hours all files are deleted from the server. 
我有一个脚本,该脚本允许任何人上传200 MB以下的文件,下载文件后,该文件将被删除,并在24小时后从服务器中删除所有文件。 My question is how can I limit the number of times someone can upload a file for example. 我的问题是,例如,如何限制某人可以上传文件的次数。 If someone were to upload 3 files in one hour, if they were to upload a 4th file, they would need to put in a captcha code to ensure they are not a robot. 如果有人在一小时内上传3个文件,如果有人要上传第4个文件,则他们需要输入验证码,以确保它们不是机器人。 But how would I go about doing this? 但是我该怎么做呢?
Code for uploading: 上传代码:
<script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js"></script>
<script>
function _(el){
return document.getElementById(el);
}
function uploadFile(){
var file = _("file1").files[0];
//alert(file.name+" | "+file.size+" | "+file.type);
var formdata = new FormData();
formdata.append("file1", file);
var ajax = new XMLHttpRequest();
ajax.upload.addEventListener("progress", progressHandler, false);
ajax.addEventListener("load", completeHandler, false);
ajax.addEventListener("error", errorHandler, false);
ajax.addEventListener("abort", abortHandler, false);
ajax.open("POST", "upload.php");
ajax.send(formdata);
}
function progressHandler(event){
//_("loaded_n_total").innerHTML = "Uploaded "+event.loaded+" bytes of "+event.total;
var percent = (event.loaded / event.total) * 100;
var percent = (event.loaded / event.total) * 100;
_("progressBar").value = Math.round(percent);
_("status").innerHTML = Math.round(percent)+'%';
}
function completeHandler(event){
_("completed").innerHTML = event.target.responseText;
_("progressBar").value = 100;
}
function errorHandler(event){
_("status").innerHTML = "Upload Failed";
}
function abortHandler(event){
_("status").innerHTML = "Upload Aborted";
}
</script>
<body>
<input type="button" value="Upload File" onclick="uploadFile()" class="UploadButton">
<progress id="progressBar" value="0" max="100">
</progress>
</body>
php upload script:
<?php
include('connect.php');
$file = $_FILES["file1"]["name"];
if ($file == "") {
// if file not chosen
exit();
}
$ogname = $_FILES["file1"]["name"];
// The file name
$length = 20;
$randomString = substr(str_shuffle("0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"), 0, $length);
$num = rand () ;
$key = md5($num);
$info = pathinfo( $ogname );
$ext = $info['extension'];
$fileName = $randomString . "." .$ext;
//gets ip address of client
//Test if it is a shared client
if (!empty($_SERVER['HTTP_CLIENT_IP'])){
$ip=$_SERVER['HTTP_CLIENT_IP'];
//Is it a proxy address
}elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])){
$ip=$_SERVER['HTTP_X_FORWARDED_FOR'];
}else{
$ip=$_SERVER['REMOTE_ADDR'];
}
//returns ip to be stored later
$downloads = 0;
$time = 0;
$fileTmpLoc = $_FILES["file1"]["tmp_name"];
// File in the PHP tmp folder
$fileType = $_FILES["file1"]["type"];
// The type of file it is
$fileSize = $_FILES["file1"]["size"];
if($fileSize > 209715201){
// if too large
exit();
}
// File size in bytes
$fileErrorMsg = $_FILES["file1"]["error"]; // 0 for false... and 1 for true
if (!$fileTmpLoc) {
// if file not chosen
exit();
}
if(move_uploaded_file($fileTmpLoc, "files/$fileName"))
{
//success
mysql_query("INSERT INTO file(name, ogname, type, size, tmp_name, keyID, ip, time, downloads)
VALUES('$fileName', '$ogname', '$fileType', '$fileSize', '$fileTmpLoc', '$key', '$ip', '$downloads', '$time')");
}else {
//not uploaded
}
?>
2 个解决方案
解决方案1
1 已采纳 2014-02-14 20:10:35
First of all, you need a way to tell one user from another. 首先,您需要一种将另一个用户告诉另一个用户的方法。
If users have to log in to your site before they can upload these files, then this part is easy: you know which user is uploading each file because they're logged in. 如果用户必须先登录到您的站点才能上传这些文件,则此部分很容易:您知道哪个用户正在上传每个文件,因为他们已经登录。
If not - and if you're not willing to add a login requirement - you'll have to take a different approach. 如果不是,并且不愿意添加登录要求,则必须采用其他方法。 There are two possible approaches, both imperfect: 有两种可能的方法,都不完美:
a. 一种。 Assume that every unique IP address, as found in $_SERVER['REMOTE_ADDR'] , is a distinct user. 假定$ _SERVER ['REMOTE_ADDR']中找到的每个唯一IP地址都是一个不同的用户。
This is imperfect because different users sometimes have the same IP address (for example, if they're visiting your site from within the same corporate network), so this approach could mistakenly conclude that a user has exceeded their quota (even though they haven't). 这是不完善的,因为不同的用户有时具有相同的IP地址(例如,如果他们从同一公司网络内访问您的网站),因此这种方法可能会错误地得出结论,即用户超出了配额(即使他们没有T)。
or, 要么,
b. 湾 Use PHP sessions ; 使用PHP会话 ; it's specifically designed to uniquely identify visitors. 它是专门为唯一标识访问者而设计的。
This one is imperfect because it's easily circumvented - the user can clear their cookies, or use a different browser, and the site will think they're a different user. 这是不完善的,因为它很容易被规避-用户可以清除其Cookie或使用其他浏览器,并且该网站会认为他们是另一位用户。
If you need a hard limit that can't be circumvented, then you need to require a login. 如果您需要一个不可克服的硬性限制,那么您需要登录。 If the upload limit is more of a courtesy, and it's not the end of the world if someone happens to circumvent it, then you need to choose which is more important to you: slightly better (but still pretty weak) security, at the cost of some false positives (choose option a), or slightly better user-friendliness, at the cost of worse security (choose option b). 如果上传限制更多是出于礼貌,并且如果有人碰巧绕过它并不是世界末日,那么您需要选择哪个对您更重要:安全性稍好(但仍然很弱),但要付出代价误报(选择选项a)或更好的用户友好性(以选择更差的安全性为代价)(选择选项b)。
解决方案2
0 2014-02-14 19:55:44
You need a way of identifying a user and keeping track as to how many files they have uploaded so far. 您需要一种方法来识别用户并跟踪他们到目前为止已上传了多少文件。 I would probably use a database where I store a combination of identification values (eg IP, host, browser) and keep a counter with a timestamp. 我可能会使用一个数据库,在其中存储标识值(例如IP,主机,浏览器)的组合,并保留带有时间戳的计数器。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.