views:

42

answers:

3

I am sure this is the one of the most epic titles ever. So, I have upload form like here. I made that people could upload their files only up to 1 MB. But, if I try to upload for example 1 GB file, it takes ages before it gives me an error. So, here comes a question. Before checking file's size, does that file is being downloaded in my hosting or does it takes resources from my hosting? Why it takes ages and ages before it gives me an error although if I try to upload 2 MB file it gives me an error in 1 second? Thank you for your explanations.

A: 

You should include an input like:

 <input type="hidden" name="MAX_FILE_SIZE" value="30000" />

that hints the browser in respect to the maximum file size that can be uploaded. Most browsers will then warn the user if the file is too bug.

I don't think PHP will store files past the maximum post size allowed in php.ini if the user submits one (the server will not have a 1GB file occupying space unnecessarily); however, the user must send all the data before it gets the error response for the server because the HTTP protocol has no provision for interrupting the client's request and send a response prematurely.

Beware that if allow huge POST data and defer the file size check to your PHP script, more disk space will be used.

Artefacto
It is very easy to delete this row for a person programmer, so this is not security.
hey
@hey this is not about security. The server is already rejecting the file (you said that in the question). This is about giving the user a clue. If he wants to waste bandwidth sending a file that will be rejected... so be it.
Artefacto
A: 

If you're checking the file size on the server then, yes, it will have to upload to the server in order to just run the if statement that checks the size.

Anything you do on the client side to check will, of course, be at the mercy of the client. So there is no 100% reliable way to do it. Artefacto pointed out one good way to catch most users. There's also a JavaScript ActiveX object that might help (http://www.kavoir.com/2009/01/check-for-file-size-with-javascript-before-uploading.html) but, again, users can easily disable it (even quite unintentionally) or have browsers that don't support it at all.

David
So you wanna say that everyone can just try to upload 10 GB files to sites like imageshack and else and harm them, steal hosting's resources?
hey
@hey They will waste bandwidth, but hopefully not disk space (if the server is correctly configured not to allow POST requests bigger than some small number).
Artefacto
@hey Anybody can blast any server they want with all the data they want, really. The server can stop anything that comes in once it gets there, but the bandwidth is already eaten. In cases like this though, all that can be done is "suggest" so the clients (through means most people won't know how to circumvent, depending on the audience) that they not do it.
David
A: 

Just having a quick google for your issue I found this old stackoverflow topic, http://stackoverflow.com/questions/307679/using-jquery-restricting-file-size-before-uploading It seems that it is infact possible to stop people uploading files to big client side but only using flash/Java, maybe this software will help http://www.swfupload.org/. 9th bullet point down on description: Control filesize before upload starts.

Regards

Luke

Luke