3

How can I keep a client from uploading more after having uploaded something within a time limit? Based on IP address.

Jonah
  • 9,991
  • 5
  • 45
  • 79
user580889
  • 67
  • 1
  • 3
  • 1
    The IP is an ineffective method of authorization. The client could easily be using Tor. – Jonah Jan 19 '11 at 04:27
  • @Jonah: What is a more effective way, by the way? – Chetan Jan 19 '11 at 04:35
  • @Jonah - Can you please tell more about "**Tor**"? I tried googling it, but could not get any particular direct answer. Maybe my brain is in hangover. – Knowledge Craving Jan 19 '11 at 06:25
  • Tor is a network of computers that you can join using the Tor software. Instead of your HTTP request going straight to the target server, the request is routed through many other computers on Tor between you and the server. This route is generated randomly I think, so every request you appear to have a different IP address. Also, requests from other computers are routed through _your_ computer if you're on the network. This is dangerous because the traffic through your computer may be illegal. Although it's my understanding that everything is encrypted. http://www.torproject.org/ – Jonah Jan 19 '11 at 17:16
  • @Jonah - many thanks for such a nice descriptive answer. Cheers! – Knowledge Craving Jan 20 '11 at 18:47

3 Answers3

3

Basing your disabling on the user's IP address is ineffective. In addition to what Kel said, the client also may have a dynamic IP, or be using Tor.

Really the only way would be to force the user to identify him/herself in some way. There are lots of options out there: Facebook, OpenID, Twitter, etc. You could create a user account system for your site, but that would be much more inconvenient for the user; using an infrastructure that's already in place would be better.

As for the more technical side of things, basically you'll keep a database table of users that have uploaded files, and a timestamp column that holds the time that they uploaded. You'll regularly traverse this table with a Cron job, and remove users that are older than a pre-defined threshold.

When a person attempts to upload, check if they're in the database. If they are, they can't upload; if they aren't, they're good to go.

Jonah
  • 9,991
  • 5
  • 45
  • 79
  • 1
    Still a lot of sites use it(rapidshare, megaupload, etc). If you upload a much by using this you can safe yourself a lot of bandwidth. – Alfred Jan 19 '11 at 06:00
2

You can retrieve IP address using $_SERVER['REMOTE_ADDR'] and $_SERVER['HTTP_X_FORWARDED_FOR'] variables, and store it somewhere together with request date (for example, in database). On each upload request you can check, whether (last upload time from this IP) - (current time) > period.

BTW, user is not always bound to single IP, and single IP can be used by many users. So, for example, this will restrict uploading from users, who are hidden behind the same NAT.

Kel
  • 7,680
  • 3
  • 29
  • 39
0

I guess there is no full proof way, and for any suggestion there's counter argument.

But then again, websites still allow uploading and live.

You can combine different methods of identifying an user:

  1. Regular cookie

  2. Flash cookie

  3. IP address

All of these can be overcome, but not everyone even knows about flash cookies, and some people still change their IP by switching the modem on/off. Never underestimate people's lazyness / ignorance:)

CodeVirtuoso
  • 6,318
  • 12
  • 46
  • 62