php file upload size question

Question

I know you can control the size of uploads in PHP using $_FILES['userfile']['size'] > XXX

My question I suppose is performance related.

When you upload a file, my understanding is the whole file gets uploaded to a temporary location, and then you have access to $_FILES

What happens if a user attempts to upload a 10gb file? (as an example of a very large file)

If a large file is attempted to be uploaded, does this waste server bandwidth as the file needs to be uploaded before it can be processed/validated.

I know PHP has like timeouts etc but I'm curious if there is a performance impact from users attempting to upload very large files, even if (for example) the max file size is 2mb.

Is this a concern or something unavoidable and just to not worry.

Thanks.

Answer 1

Both apache and php have max-post limitation to prevent such behavior.

from php.ini:

; Maximum allowed size for uploaded files.
upload_max_filesize = 4M
; Maximum size of POST data that PHP will accept.
post_max_size = 8M

Answer 2

Actually, the [size] isn't there for control, it's simply the size of the uploaded file. By the time your script gets fired up to check that, PHP (and the webserver) have already handled the uploaded and applied their own internal limits (Apache's LimitRequestBody, PHP's upload_max_size, etc...).

PHP will allow all uploads to proceed, if they've been enabled via the file_uploads INI setting. Since you can't really trust the client, the client-provided size will be ignored and the upload will proceed until it either completes or hits the upload limit. So, yes, it can waste your bandwidth.

If you allow uploads, then it can be abused. But, there's no real difference between someone uploading a 10gig file or someone doing a POST with 10gig of bogus data. Either way, you've got 10gig of data coming your way.