Limit User Uploads PHP

Question

I have a script that allows anyone to upload a file under 200 MB and after the file is downloaded once it will delete it, and after 24 hours all files are deleted from the server. My question is how can I limit the number of times someone can upload a file for example. If someone were to upload 3 files in one hour, if they were to upload a 4th file, they would need to put in a captcha code to ensure they are not a robot. But how would I go about doing this?

Code for uploading:

    <script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js"></script>

    <script> 
    function _(el){ 
    return document.getElementById(el); 
    } 

    function uploadFile(){ 
    var file = _("file1").files[0]; 
    //alert(file.name+" | "+file.size+" | "+file.type); 
    var formdata = new FormData(); 
    formdata.append("file1", file); 
    var ajax = new XMLHttpRequest(); 
    ajax.upload.addEventListener("progress", progressHandler, false); 
    ajax.addEventListener("load", completeHandler, false); 
    ajax.addEventListener("error", errorHandler, false); 
    ajax.addEventListener("abort", abortHandler, false); 
    ajax.open("POST", "upload.php"); 
    ajax.send(formdata); 
    } 

    function progressHandler(event){ 
    //_("loaded_n_total").innerHTML = "Uploaded "+event.loaded+" bytes of "+event.total; 
    var percent = (event.loaded / event.total) * 100;
    var percent = (event.loaded / event.total) * 100; 
    _("progressBar").value = Math.round(percent); 
    _("status").innerHTML = Math.round(percent)+'%'; 
    } 

    function completeHandler(event){ 
    _("completed").innerHTML = event.target.responseText; 
    _("progressBar").value = 100; 
    } 

    function errorHandler(event){ 
    _("status").innerHTML = "Upload Failed"; 
    } 

    function abortHandler(event){ 
    _("status").innerHTML = "Upload Aborted"; 
    }
    </script> 

    <body>

    <input type="button" value="Upload File" onclick="uploadFile()" class="UploadButton">
    <progress id="progressBar" value="0" max="100">
    </progress> 
    </body>

php upload script:

    <?php 

    include('connect.php');
    $file = $_FILES["file1"]["name"];

    if ($file == "") { 
    // if file not chosen 
    exit(); 
    } 

    $ogname = $_FILES["file1"]["name"]; 
    // The file name 

    $length = 20;
    $randomString =     substr(str_shuffle("0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"), 0,     $length);

    $num = rand () ;
    $key = md5($num);

    $info = pathinfo( $ogname );
    $ext  = $info['extension'];

    $fileName = $randomString . "." .$ext;

    //gets ip address of client     
    //Test if it is a shared client
    if (!empty($_SERVER['HTTP_CLIENT_IP'])){
    $ip=$_SERVER['HTTP_CLIENT_IP'];
    //Is it a proxy address
    }elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])){
    $ip=$_SERVER['HTTP_X_FORWARDED_FOR'];
    }else{
    $ip=$_SERVER['REMOTE_ADDR'];
    }

    //returns ip to be stored later
    $downloads = 0;
    $time = 0;
    $fileTmpLoc = $_FILES["file1"]["tmp_name"]; 

    // File in the PHP tmp folder 
    $fileType = $_FILES["file1"]["type"]; 
    // The type of file it is 
    $fileSize = $_FILES["file1"]["size"]; 

    if($fileSize > 209715201){
    // if too large
    exit(); 
    }

    // File size in bytes 
    $fileErrorMsg = $_FILES["file1"]["error"]; // 0 for false... and 1 for true
    if (!$fileTmpLoc) { 
    // if file not chosen 
    exit(); 
    } 
    if(move_uploaded_file($fileTmpLoc, "files/$fileName"))
    { 

    //success

                mysql_query("INSERT INTO file(name, ogname, type, size,     tmp_name, keyID, ip, time, downloads)
                VALUES('$fileName', '$ogname', '$fileType',     '$fileSize',     '$fileTmpLoc', '$key', '$ip', '$downloads', '$time')");

    }else {
     //not uploaded
    } 
    ?>

Answer 1

First of all, you need a way to tell one user from another.

If users have to log in to your site before they can upload these files, then this part is easy: you know which user is uploading each file because they're logged in.

If not - and if you're not willing to add a login requirement - you'll have to take a different approach. There are two possible approaches, both imperfect:

a. Assume that every unique IP address, as found in $_SERVER['REMOTE_ADDR'] , is a distinct user.

This is imperfect because different users sometimes have the same IP address (for example, if they're visiting your site from within the same corporate network), so this approach could mistakenly conclude that a user has exceeded their quota (even though they haven't).

or,

b. Use PHP sessions ; it's specifically designed to uniquely identify visitors.

This one is imperfect because it's easily circumvented - the user can clear their cookies, or use a different browser, and the site will think they're a different user.

If you need a hard limit that can't be circumvented, then you need to require a login. If the upload limit is more of a courtesy, and it's not the end of the world if someone happens to circumvent it, then you need to choose which is more important to you: slightly better (but still pretty weak) security, at the cost of some false positives (choose option a), or slightly better user-friendliness, at the cost of worse security (choose option b).

Answer 2

You need a way of identifying a user and keeping track as to how many files they have uploaded so far. I would probably use a database where I store a combination of identification values (eg IP, host, browser) and keep a counter with a timestamp.