Limit upload file size

Hey everyone,

I had a question about MAX_FILE_SIZE and how to implement it at the client side without expecting the user to not hack the site to increase the value.

For example, if I set an input field name to MAX_FILE_SIZE and in the value property I enter the bytes. PHP will read that and limit file size. But what's to say that the user isn't using Firefox, or pretty much any browser, and uses a DOM editor to modify the value in that hidden input field?

How can I force the file to only transfer(taking up bandwidth) if the file is of the correct size. Any solution I can think of would be circumventable via a DOM editor. Something like DOM inspector, the HTML DOM editor plug-in I use to hack so many JavaScripts that do client side validation, and then get I the benefits of whatever site without having actually done anything other than spending an hour hacking JavaScripts. For example, extra points in a game for paying for some sort of service that reports instantly. With this same logic, someone could use a DOM editor and send a 1GB file to my web server and take up 1GB of bandwidth.

I know on the server side once I get the file I have full control, but I don't want it to get that file. If the file is beyond the limits I set I don't want a single byte transfered, except maybe the size of the file in question.

I remember reading about a PHP ini directive that I can set that will limit file size, and I could probably set that using ini_set(). Will this directive cause PHP to first query the file size of the file and then transfer it if it meets required size limitations or will it merely figure it out when the file has completed transferring to the server?

I'm not exactly sure how to check this without a lot of overhead programming. When I tried the 10MB +1 byte file it did error out and when I tried the 10MB to the byte file it worked fine. They both seemed to take the same amount of time, which seemed to take just as long as the 2MB file. I will probably have to increase this size because the time elapsed seemed to be the same as 50kb web page. this is all being done on a local system, web server, and files are already on the same hard drive so that approximate write speed would be about 20MB/s so I will probably have to do something like 500MB to get any real performance.

[edit]
So I tried setting the limit to 1GB and upload a 700MB file and a 1.2 GB file. Both took the bandwidth. Then I realized that the server may just cut off at the limit size, but the entire 1.2 GB was transferred when the limit was set to 10MB. Is there any way around this? I don't want to waste bandwidth or allow such a vulnerability.

My problem is that no matter what I try it seems to be circumventable. Sure I can use JavaScript and an HTML hidden element, but these are circumventable.

This might help:

Basically the answer is you can't. If the user wants to post a ****load of data to your server they can do it and there is nothing you can do to stop them. If there were a way to prevent this then the concept of a DDOS attack would not exist.

There is probably an apache directive you can use that will drop the user's connection if they upload more than X megabytes. However, this would have to be done at the apache level and not at the PHP level. Also, it doesn't mean the user would stop spitting packets at you. The user could continue spamming your server with data packages as long as they want even if they don't have an active connection.

Hmm, I seem to be not getting my point across because what you just did can be done 1001 ways. You can use ini_set to set it and then it will just error out, or set the ini file and then you wouldn't have to worry about it in the script. With this solution you could use $_FILES[error] to send that same message instead of using the byte size. Like I said 1001 ways.

My problem is: Regardless of limitations on file size, the file is still sent from their computer over the copper lines, optic cables and air waves to my server, stored in a temp file, on the server, and then being discarded because the file is too large. How can I just tell the client side just not to send it. I guess any solution that involves the client side can be circumvented. If there was an HTTP header, that could be changed, if it was a Java applet, that could be changed with a memory editor.

After thinking about it for a bit, there is no way for me to tell the client not to send the file if it's too big without a savvy user being able to hack it and I will just have to accept that files will end up in my temp dir even though they exceed the maximum size I've set.

[edit]
E-Oreo...double stuffed? LMFAO

Yeah I figured that out. Thanks. I don't mean to eliminate DoS attacks. I intend to save as much bandwidth as possible. If a user uploads more than is allowed I would gladly set an Apache directive to disconnect and cancel the transfer, that's basically what I was getting at, and hoping that PHP did when the file transfer occurred. Although it seems obvious that the Apache server handles the actual upload of the file and PHP gains access via the $_FILES variable.

For example, Gumbo Joe decides not to read anything and creates an account, checks the agree checkbox, without knowing what he's agreeing to, then uploads a 700MB file. If the limit is 10MB I would be happy for Apache to disconnect at 10MB...or 11MB. Being Gumbo Joe, he's just going to try again thinking it's going to work. Then maybe he will see the text that says 10MB limit. PEBKAC isn't just a funny joke. It's reality, and I don't want to pay for PEBKAC (Problem Exists Between Keyboard And Chair) or an ID-10T (Idiot) or a keyboard-chair disconnect or whatever you want to call it. I guess in the case of Gumbo Joe a simple hidden HTML field(if the browser uses it, and some JavaScript will do the trick.

Analysis paralysis. LOL.