Securing anonymous image uploads
Sites like www.ebayclassifieds.com let users upload images in order to see thumbnail previews and make image adjustments before posting content. Visitors are able to upload images to those sites anonymously without any authorization beforehand.
Can the same type of image previews be done for a smaller site that has bandwidth and disk space constraints? I'd guess that one would set up a cron job to periodically delete images that were anonymously uploaded. But what are other measures that can be taken so that bandwidth usage and disk space don't get out of hand, in case someone tries to spam your site with bogus image 开发者_StackOverflow中文版uploads?
Here are some ideas off the top of my head:
- Use session state to keep track of uploaded files and delete them automatically when the session expires.
- Limit uploads per session/visitor (ie. one per anonymous visitor)
- Limit the maximum size of a file that can be uploaded.
- Limit image types to only those that are compressed (ie. don't allow BMPs)
- Scale the images down to a reasonable size as soon as they are uploaded. You probably don't need full size.
Besides madisonw's answer I would just add, use CAPTCHA for the upload as well, so users can't use automated tools to upload the images at large...
精彩评论