File Upload

Re: File Upload

> I want to upload files via an HTML form and store them somewhere on my[color=blue]
> webspace. So far so good. I am just a bit concerned about security issues
> and traffic. My provider has set a file size limit of 20MB in php.ini. My
> questions are:[/color]

Is this going to be for the public to upload, or just you? If its just you
you can have some sort of authentication on the page before they get the
upload form. If not you will be able to track the uploads if you have the
form on posting write their IP, and maybe some other details to a file.
Then on uploads check that file for the IP and dates / sizes, and if they're
uploading too much too quickly just don't allow the upload. The script to
do that would also check for old upload records and delete them from the log
file if necessary so it doesn't just keep growing.
[color=blue]
> 1) If some evil web terrorist tries to upload a file which is larger than[/color]

I think 'evil web terrorists' have better things to do than fill up your
20MB!
[color=blue]
> 2) If the transfer is cancelled, is there a way for me to limit the[/color]
maximum[color=blue]
> upload file size to *less* than what my provider specifies - serverside?[/color]

Yeah - just on your processing of the upload examine the file size - if its
too big reject it. You have to write the code to move the file from the
temp dir to your own directory, so you can do whatever you like to the file.
[color=blue]
> 3) How can I prevent evil people from uploading file after file (using[/color]
some[color=blue]
> automated process) and thus filling up my webspace and using up my monthly
> traffic volume?[/color]

See above - you can check anything you like, and a simple script and log
file would sort this out.
[color=blue]
> P.S.: Does this NG have a FAQ?[/color]

Not that I know of - but the PHP documentation is usually very good. The
web based version of the docs also have user comments on, a lot of which can
be helpful if you're stuck with something.

David

Re: File Upload

Also sprach David Walker:

[File Upload]
[color=blue]
> Is this going to be for the public to upload, or just you?[/color]

It's for the public.
[color=blue]
> If its
> just you you can have some sort of authentication on the page before
> they get the upload form. If not you will be able to track the
> uploads if you have the form on posting write their IP, and maybe
> some other details to a file. Then on uploads check that file for the
> IP and dates / sizes, and if they're uploading too much too quickly
> just don't allow the upload. The script to do that would also check
> for old upload records and delete them from the log file if necessary
> so it doesn't just keep growing.[/color]

Thanks for the suggestion. I will try something like that.
[color=blue][color=green]
>> 1) If some evil web terrorist tries to upload a file which is larger
>> than[/color]
>
> I think 'evil web terrorists' have better things to do than fill up
> your 20MB![/color]

Still, if someone doesn't like me as much as (s)he should, they might try
bad jokes like this. Besides, the 20MB is the maximum file size for uploads,
not my total web space. Following your above suggestion, however, should
make any misuse much harder.
[color=blue][color=green]
>> 2) If the transfer is cancelled, is there a way for me to limit the
>> maximum upload file size to *less* than what my provider specifies -
>> serverside?[/color]
>
> Yeah - just on your processing of the upload examine the file size -
> if its too big reject it.[/color]

This, however, means that the whole file was already completely transmitted
to the server, and some of my free monthly transfer budget has been used up
in the process. I am looking for a solution which will prevent any data
transfer to the server exceeding a specified limit. There is MAX_FILE_SIZE
to specify a size limit client side, but as it's client side one cannot rely
on it, especially if someone tries to deliberately get around it.
[color=blue][color=green]
>> P.S.: Does this NG have a FAQ?[/color]
>
> Not that I know of - but the PHP documentation is usually very good.
> The web based version of the docs also have user comments on, a lot
> of which can be helpful if you're stuck with something.[/color]

Yes, that's true. Still, I'd like some more explanation on how "things are
handled" internally. For example, if setting a maximum size for upload files
in php.ini means that the server will somehow cancel the transmission
process when the limit is reached, and thus preventing traffic "over the
limit".

--

Re: File Upload

> This, however, means that the whole file was already completely
transmitted[color=blue]
> to the server, and some of my free monthly transfer budget has been used[/color]
up[color=blue]
> in the process. I am looking for a solution which will prevent any data
> transfer to the server exceeding a specified limit. There is MAX_FILE_SIZE
> to specify a size limit client side, but as it's client side one cannot[/color]
rely[color=blue]
> on it, especially if someone tries to deliberately get around it.[/color]

Not really sure how it works unfortunately. I think it does probably stop
the uploads once its past the PHP file limit - as far as I remember it will
either just cut the file off at that point and save it as it is (incomplete)
or will just reject the transfer - this I think depends on the setting
somewhere when you're doing the upload handling in PHP.
[color=blue]
> Yes, that's true. Still, I'd like some more explanation on how "things are
> handled" internally. For example, if setting a maximum size for upload[/color]
files[color=blue]
> in php.ini means that the server will somehow cancel the transmission
> process when the limit is reached, and thus preventing traffic "over the
> limit".[/color]

Unfortunately as I just mentioned above I don't really know myself. I'm
pretty sure it would stop the upload if its a PHP size limit - I think PHP
is probably clever enough to know to do that.
Incidentally, I think you can change the PHP.ini settings dynamically for
individual pages - use ini_set - if you look in the PHP docs its all in
there how to do it so you could change the limit for individual pages, and
it'd be impossible for the client to get around it.

David

Re: File Upload

Also sprach David Walker:
[color=blue]
> Incidentally, I think you can change the PHP.ini settings dynamically
> for individual pages - use ini_set - if you look in the PHP docs its
> all in there how to do it so you could change the limit for
> individual pages, and it'd be impossible for the client to get around
> it.[/color]

I just had a look at the php manual - well, I *can* modify
"upload_max_fil esize" using ini_set(), but when my script processes this
command, the file will already have been uploaded, so my change will come
too late (a design bug)?

BTW, how does "post_max_s ize" influence "upload_max_fil esize"? I mean,
files are uploaded via "post", so what's the effective size limit if
post_max_size=8 M and upload_max_file size=20M, as it is the case with my
provider? He has PHP running as CGI, not as an Apache module - does this
make any difference?

--

Re: File Upload

> > Incidentally, I think you can change the PHP.ini settings dynamically[color=blue][color=green]
> > for individual pages - use ini_set - if you look in the PHP docs its
> > all in there how to do it so you could change the limit for
> > individual pages, and it'd be impossible for the client to get around
> > it.[/color]
>
> I just had a look at the php manual - well, I *can* modify
> "upload_max_fil esize" using ini_set(), but when my script processes this
> command, the file will already have been uploaded, so my change will come
> too late (a design bug)?[/color]

If you put that at the top of the page recieving the upload, then that page
should I think be read before the upload starts. If not, try putting it on
both the sending and recieving page, and then its bound to be there
somewhere.
[color=blue]
> BTW, how does "post_max_s ize" influence "upload_max_fil esize"? I mean,
> files are uploaded via "post", so what's the effective size limit if
> post_max_size=8 M and upload_max_file size=20M, as it is the case with my
> provider? He has PHP running as CGI, not as an Apache module - does this
> make any difference?[/color]

The best advice I can give here is to just try it. Play about with the
settings, try to upload different files, and see what it lets you do. Its
often easier than trying to predict behaviour not given in the manual - I do
a lot of my stuff just by testing simple scripts first, and once they work
transfer it to the proper page.
Otherwise someone else may be able to offer help - I haven't done enough
with uploads to really know, i've just allowed simple uploads to be done,
and move them - i don't have to worry about bandwidth or disk space, and the
page is protected so only a few people can access it anyway.
Good luck!

David

Re: File Upload

Also sprach David Walker:
[color=blue][color=green]
>> I just had a look at the php manual - well, I *can* modify
>> "upload_max_fil esize" using ini_set(), but when my script processes
>> this command, the file will already have been uploaded, so my change
>> will come too late (a design bug)?[/color]
>
> If you put that at the top of the page recieving the upload, then
> that page should I think be read before the upload starts.[/color]

But the upload is part of the request for this page sent by the client. The
php script is called only after all of the client's request including post
data has been received - or am I wrong?
[color=blue]
> If not,
> try putting it on both the sending and recieving page, and then its
> bound to be there somewhere.[/color]

Even if I put it on the page that generates the upload form - as soon as
that page is sent out to the client the process is finished and the
ini_set() setting is lost. Or am I wrong again?

As for the precedence of different ini settings - I think you are right -
the best thing to do is try it out.

Thanks,
Thomas

Re: File Upload

> > If you put that at the top of the page recieving the upload, then[color=blue][color=green]
> > that page should I think be read before the upload starts.[/color]
>
> But the upload is part of the request for this page sent by the client.[/color]
The[color=blue]
> php script is called only after all of the client's request including post
> data has been received - or am I wrong?[/color]

Not really sure how it works to be honest. I was thinking that it should
just so that things like this would work... then again, if you do upload a
big file the page never goes until the upload is complete. So, maybe
putting it on the sending page, as I said below might be a better idea???
[color=blue][color=green]
> > If not,
> > try putting it on both the sending and recieving page, and then its
> > bound to be there somewhere.[/color]
>
> Even if I put it on the page that generates the upload form - as soon as
> that page is sent out to the client the process is finished and the
> ini_set() setting is lost. Or am I wrong again?[/color]

Well I was thinking it must get the setting from one page or the other
otherwise theres no point in having it. Since the browser stays on the
sending page until the upload is complete it looks like this is more likely
to work.
[color=blue]
> As for the precedence of different ini settings - I think you are right -
> the best thing to do is try it out.[/color]

Yeah - just shove it on a little script, see what happens.

David

Re: File Upload

Also sprach David Walker:
[color=blue]
> Not really sure how it works to be honest. I was thinking that it
> should just so that things like this would work...[/color]
[color=blue]
> Well I was thinking it must get the setting from one page or the other
> otherwise theres no point in having it.[/color]

Well, ini_set() is not just for setting this one option. It certainly works
fine with other things, only in this special case it is not very helpful.
But as PHP is running as a CGI with my provider, doesn't this mean I have my
very own "environmen t" all to myself, so theoretically I should be allowed
to modify "my" php.ini somehow? What actually is the difference between
those local and master values that phpinfo() reports?

Greetings, Thomas

Re: File Upload

> Well, ini_set() is not just for setting this one option. It certainly
works

It doens't have all the values there though, so if they allowed that value
to be changed then it must do something. I now think that it must take
affect on the calling page if anything.
[color=blue]
> fine with other things, only in this special case it is not very helpful.
> But as PHP is running as a CGI with my provider, doesn't this mean I have[/color]
my[color=blue]
> very own "environmen t" all to myself, so theoretically I should be allowed
> to modify "my" php.ini somehow? What actually is the difference between
> those local and master values that phpinfo() reports?[/color]

To be honest i've never seen a difference between the Local and Master
values on any server yet. I don't think its to do with CGI though - thats
just a different way to get PHP to work, but it is usually a master thing
for the whole server, not separate for individual folders or whatever.
Unless they've given you access via something other than FTP or web based
uploads though, theres no way you'd ever see PHP.ini anyway.
Ask your ISP though, see what they say - probably won't be very helpful, but
just sending a quick e-mail can't hurt, and could maybe be useful if you get
someone who knows something to respond.

David

Re: File Upload

I've just tried out different settings for post_max_size and
upload_max_file size in php.ini. As was to be expected, the post_max_size
prevails, and if my file is bigger than that, the corresponding
$_FILES['myfile'] does not exist. So it actually makes no sense to make
upload_max_file size bigger than post_max_size - still, this seems to be the
default setting...?
[color=blue][color=green]
>> Well, ini_set() is not just for setting this one option. It
>> certainly works[/color]
>
> It doens't have all the values there though, so if they allowed that
> value to be changed then it must do something. I now think that it
> must take affect on the calling page if anything.[/color]

So I have something else to try out tomorrow...
[color=blue][color=green]
>> fine with other things, only in this special case it is not very
>> helpful. But as PHP is running as a CGI with my provider, doesn't
>> this mean I have my very own "environmen t" all to myself, so
>> theoretically I should be allowed to modify "my" php.ini somehow?
>> What actually is the difference between those local and master
>> values that phpinfo() reports?[/color]
>
> To be honest i've never seen a difference between the Local and Master
> values on any server yet. I don't think its to do with CGI though -
> thats just a different way to get PHP to work, but it is usually a
> master thing for the whole server, not separate for individual
> folders or whatever. Unless they've given you access via something
> other than FTP or web based uploads though, theres no way you'd ever
> see PHP.ini anyway. Ask your ISP though, see what they say - probably
> won't be very helpful, but just sending a quick e-mail can't hurt,
> and could maybe be useful if you get someone who knows something to
> respond.[/color]

"If", yes, indeed. Still, I will try.

Greetings, Thomas

Re: File Upload

> I've just tried out different settings for post_max_size and[color=blue]
> upload_max_file size in php.ini. As was to be expected, the post_max_size
> prevails, and if my file is bigger than that, the corresponding
> $_FILES['myfile'] does not exist. So it actually makes no sense to make
> upload_max_file size bigger than post_max_size - still, this seems to be[/color]
the[color=blue]
> default setting...?[/color]

Possibly if someone uploads by some method other than POST - not GET cos
that isn't big enough, so not sure what's left... Maybe something, but
doesn't matter.

You're getting closer to an answer anyway - just got to make sure it takes
affect on the right page now, which should be easy to try.

David