Prevent multi upload with users - Printable Version +- CodeIgniter Forums (https://forum.codeigniter.com) +-- Forum: Using CodeIgniter (https://forum.codeigniter.com/forumdisplay.php?fid=5) +--- Forum: General Help (https://forum.codeigniter.com/forumdisplay.php?fid=24) +--- Thread: Prevent multi upload with users (/showthread.php?tid=71200) |
Prevent multi upload with users - omid_student - 07-18-2018 Hi In my app,user can upload file to server with username and password There are no any problem for upload or authentication Big problem is If user have username and password,can upload file with php script Example Post: username=user&password=1234 and contain file form If hacker execute this url in php script,can upload file to server How do i can prevent upload file only with app Thanks RE: Prevent multi upload with users - Pertti - 07-18-2018 (07-18-2018, 08:39 AM)omid_student Wrote: Post: username=user&password=1234 and contain file form Are username and password on the URL - www.mydomain.com/upload/?username=user&password=1234 Or you mean when user makes a POST request, effectively they are posting their username and password at the same time as the file? RE: Prevent multi upload with users - omid_student - 07-18-2018 (07-18-2018, 11:16 AM)Pertti Wrote:Yes make a POST request(07-18-2018, 08:39 AM)omid_student Wrote: Post: username=user&password=1234 and contain file form However i encrypt data with AES but we assume it is not encryption RE: Prevent multi upload with users - Pertti - 07-18-2018 Got it. So you are worried that if hacker knows endpoint URL, username and password, they can just keep uploading? CodeIgniter CSRF protection might help, it won't stop them posting data at your server, which could become DDoS issue on it's own, but it will help you to filter out valid requests and ignore the rest. RE: Prevent multi upload with users - omid_student - 07-18-2018 (07-18-2018, 11:51 AM)Pertti Wrote: Got it. No my problem is not file type or content My problem is only upload file from app and prevent upload file with username and password with restful tools or php I try prevent with useragent or api key special for mobile but it is not necessary RE: Prevent multi upload with users - Pertti - 07-18-2018 (07-18-2018, 12:12 PM)omid_student Wrote: No my problem is not file type or content CSRF is not for file type, it's for making sure the incoming requests originate from server in the first place. There's more stuff on it here: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet RE: Prevent multi upload with users - omid_student - 07-18-2018 (07-18-2018, 12:39 PM)Pertti Wrote:(07-18-2018, 12:12 PM)omid_student Wrote: No my problem is not file type or content Yes i know but it is good in web When user open forms,during open form,we add token into form body and codeigniter check it when we post it But in application there is no form and i have to get token before upload file that i think it is bad,isn't it? RE: Prevent multi upload with users - omid_student - 07-18-2018 (07-18-2018, 12:39 PM)Pertti Wrote:(07-18-2018, 12:12 PM)omid_student Wrote: No my problem is not file type or content Finally i deiced to generate token and get it from app and send it for each request and check it in server I save token in session for 7200s and use JWT for token |