File uploader / picture uploader can be use for spam attack


I’m not sure some hacker will use this for using spamming files in the bubble storage / aws. but this is very frustrating if the application owner knows that the storage of the application is often full .

This is the problem
If some user upload some file or image but haven’t pressed the ok button or the upload button which triggers the workflow to be stored in the database

Before Upload

After Upload

then for example the user apparently wants to replace it with a new photo before he presses the okay button or something else.
Then the most recent photo is uploaded to the database so that the previous photo isn’t uploaded.
But it turns out the previous photo was still uploaded to the database without having anything to do with the database in the bubble and it was entered in the file manager.

I do not know whether this photo is included in the bubble storage count which affects the cost or not

The solution is to use a bubble that is by creating a custom state list that every 1 second add files from the picture uploader value.
Use workflow
Do when condition true
If the list is more than 2 files
Delete an uploaded
The file was first created from a custom state list
In every page that have picture uploader or file uploader

Or second is if a temporary storage file is implemented that is automatically erased file, if there are more than a few temporary files. And if the button that is relevant to the picture uploader is pressed then upload it to the file manager storage. So the user bubble doesn’t create a workflow like the first solution. I don’t know, I’m not a programming expert but that’s the logic I think


It is, and it does. This is known / intended behavior. The onus is on the Bubble developer to prevent “orphaned” (uploaded to Bubble AWS storage but not referenced in the DB) files.

Also, if you’re dealing with lots of images, you might want to check out Upload Buddy, as it allows (among other things) for images to be resized before uploading, which results in a smooth user experience but also helps to conserve Bubble storage. (Of course, non-image files can be uploaded as well.)

Yes, it can solve problems with 3rd parties, even if the user refreshes the page after uploading the image and hasn’t pressed the ok button.
But it will be a consideration if the file or image has privacy or for example in messaging it must include a third party because it stores data temporarily or permanently because it has to move hands from the new 3rd party server to the bubble server so it requires it to be written in the privacy policy

sorry, bad english :frowning_face:

This topic was automatically closed after 14 days. New replies are no longer allowed.